FCC ID: QXO-AP3917E Wireless 802.11 a/ac+b/g/n Outdoor Access Point

 

D ExtremeWireless V10.41.06 User Guide raft 9035198-03-REV01 Published April 2018 Copyright 2018 Extreme Networks, Inc. All rights reserved. D LLegal Notice Extreme Networks, Inc. reserves the right to make changes in specications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, rmware, software or any specications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks Software Licensing Some software les have been licensed under certain open source or third-party licenses. End-

user license agreements and open source declarations can be found at:

www.extremenetworks.com/support/policies/software-licensing Support For product support, phone the Global Technical Assistance Center (GTAC) at 1-800-998-2408

(toll-free in U.S. and Canada) or +1-408-579-2826. For the support phone number in other countries, visit: http://www.extremenetworks.com/support/contact/

For product documentation online, visit: https://www.extremenetworks.com/documentation/

raft Table of Contents D Preface......................................................................................................................................... 7 Text Conventions................................................................................................................................................................... 7 Safety Information................................................................................................................................................................ 7 Sicherheitshinweise..............................................................................................................................................................8 Consignes De Scurit....................................................................................................................................................... 9 Providing Feedback to Us...............................................................................................................................................10 Getting Help............................................................................................................................................................................ 11 Extreme Networks Documentation............................................................................................................................. 11 Chapter 1: About This Guide................................................................................................... 12 Who Should Use This Guide...........................................................................................................................................12 How to Use This Guide......................................................................................................................................................12 Chapter 2: Overview of the ExtremeWireless Solution...................................................... 14 Introduction............................................................................................................................................................................14 Conventional Wireless LANs.......................................................................................................................................... 15 Elements of the ExtremeWireless Solution.............................................................................................................15 ExtremeWireless and Your Network.......................................................................................................................... 19 ExtremeWireless Appliance Product Family.........................................................................................................29 Chapter 3: Conguring the ExtremeWireless Appliance....................................................31 System Conguration Overview...................................................................................................................................31 Logging on to the ExtremeWireless Appliance...................................................................................................33 Wireless Assistant Home Screen................................................................................................................................ 34 Working with the Basic Installation Wizard.......................................................................................................... 39 Conguring the ExtremeWireless Appliance for the First Time................................................................. 45 Using a Third-party Location-based Solution...................................................................................................... 95 Additional Ongoing Operations of the System................................................................................................... 99 Chapter 4: Conguring the ExtremeWireless APs.............................................................101 Wireless AP Overview..................................................................................................................................................... 101 Discovery and Registration..........................................................................................................................................120 Viewing a List of All APs................................................................................................................................................125 Wireless AP Default Conguration...........................................................................................................................134 Conguring Wireless AP Properties........................................................................................................................ 156 Outdoor Access Point Installation............................................................................................................................ 167 Assigning Wireless AP Radios to a VNS............................................................................................................... 168 Conguring Wireless AP Radio Properties...........................................................................................................174 Conguring IoT Applications...................................................................................................................................... 189 Setting Up the Wireless AP Using Static Conguration................................................................................199 Setting Up 802.1x Authentication for a Wireless AP......................................................................................203 Conguring Co-Located APs in Load Balance Groups.................................................................................. 213 Conguring an AP Cluster...........................................................................................................................................220 Conguring an AP as a Guardian.............................................................................................................................. 221 Conguring a Captive Portal on an AP................................................................................................................. 222 AP3916ic Integrated Camera Deployment.......................................................................................................... 226 Performing AP Software Maintenance.................................................................................................................. 235 Understanding the ExtremeWireless LED Status............................................................................................ 242 raft ExtremeWireless V10.41.06 User Guide 33 Table of Contents D Chapter 5: Conguring Topologies.....................................................................................262 Topology Overview......................................................................................................................................................... 262 Conguring the Admin Port....................................................................................................................................... 263 Conguring a Basic Data Port Topology..............................................................................................................266 Creating a Topology Group........................................................................................................................................ 270 Edit or Delete a Topology Group...............................................................................................................................271 Enabling Management Traffic.................................................................................................................................... 272 Layer 3 Conguration.................................................................................................................................................... 272 Exception Filtering.......................................................................................................................................................... 278 Multicast Filtering..............................................................................................................................................................281 Chapter 6: Conguring Roles.............................................................................................. 284 Roles Overview................................................................................................................................................................. 284 Conguring Default VLAN and Class of Service for a Role........................................................................284 Policy Rules.........................................................................................................................................................................288 Chapter 7: Conguring WLAN Services..............................................................................318 WLAN Services Overview.............................................................................................................................................318 Third-party AP WLAN Service Type....................................................................................................................... 319 Conguring a Basic WLAN Service......................................................................................................................... 319 Conguring Privacy.........................................................................................................................................................327 Conguring Accounting and Authentication.....................................................................................................334 Conguring QoS Modes...............................................................................................................................................370 Conguring Hotspots.................................................................................................................................................... 376 Chapter 8: Conguring a VNS............................................................................................. 390 Conguring a VNS.......................................................................................................................................................... 390 VNS Global Settings.......................................................................................................................................................392 Methods for Conguring a VNS............................................................................................................................... 423 Manually Creating a VNS............................................................................................................................................. 423 Creating a VNS Using the Wizard........................................................................................................................... 426 Enabling and Disabling a VNS...................................................................................................................................485 Renaming a VNS..............................................................................................................................................................486 Deleting a VNS................................................................................................................................................................. 486 Chapter 9: Conguring Classes of Service........................................................................ 487 Classes of Service Overview...................................................................................................................................... 487 Conguring Classes of Service................................................................................................................................. 487 CoS Rule Classication.................................................................................................................................................490 Priority and ToS/DSCP Marking................................................................................................................................ 491 Rate Limiting......................................................................................................................................................................492 Chapter 10: Conguring Sites............................................................................................. 494 VNS Sites Overview....................................................................................................................................................... 494 Conguring Sites............................................................................................................................................................. 494 Recommended Deployment Guidelines...............................................................................................................495 Radius Conguration..................................................................................................................................................... 499 Selecting AP Assignments......................................................................................................................................... 500 Selecting WLAN Assignments...................................................................................................................................501 Chapter 11: Working with a Mesh Network........................................................................ 502 About Mesh........................................................................................................................................................................ 502 raft ExtremeWireless V10.41.06 User Guide 44 Table of Contents D Simple Mesh Conguration.........................................................................................................................................502 Wireless Repeater Conguration.............................................................................................................................503 Wireless Bridge Conguration..................................................................................................................................504 Examples of Deployment............................................................................................................................................ 505 Mesh WLAN Services.................................................................................................................................................... 505 Key Features of Mesh....................................................................................................................................................509 Deploying the Mesh System......................................................................................................................................... 511 Changing the Pre-shared Key in a Mesh WLAN Service............................................................................... 517 Chapter 12: Working with a Wireless Distribution System...............................................518 About WDS..........................................................................................................................................................................518 Simple WDS Conguration.......................................................................................................................................... 518 Wireless Repeater Conguration.............................................................................................................................. 519 Wireless Bridge Conguration.................................................................................................................................. 520 Examples of Deployment..............................................................................................................................................521 WDS WLAN Services...................................................................................................................................................... 521 Key Features of WDS.....................................................................................................................................................525 Deploying the WDS System....................................................................................................................................... 528 Changing the Pre-shared Key in a WDS WLAN Service.............................................................................. 536 Chapter 13: Availability and Session Availability.............................................................. 537 Availability........................................................................................................................................................................... 537 Session Availability..........................................................................................................................................................545 Viewing SLP Activity......................................................................................................................................................553 Chapter 14: Conguring Mobility........................................................................................ 555 Mobility Overview............................................................................................................................................................ 555 Mobility Domain Topologies.......................................................................................................................................556 Conguring a Mobility Domain................................................................................................................................. 558 Chapter 15: Working with Third-party APs.........................................................................561 Dening Authentication by Captive Portal for the Third-party AP WLAN Service......................... 561 Dening the Third-party APs List............................................................................................................................. 561 Dening Policy Rules for the Third-party APs....................................................................................................561 Chapter 16: Working with ExtremeWireless Radar.......................................................... 563 Radar Overview................................................................................................................................................................ 563 Radar Components.........................................................................................................................................................564 Radar License Requirements..................................................................................................................................... 565 Enabling the Analysis Engine.....................................................................................................................................565 Radar Scan Proles.........................................................................................................................................................566 AirDefense Prole............................................................................................................................................................567 Viewing Existing Radar Proles................................................................................................................................. 571 Adding a New Radar Prole....................................................................................................................................... 573 Conguring an In-Service Scan Prole..................................................................................................................574 Conguring a Guardian Scan Prole...................................................................................................................... 577 Assigning an AP to a Prole........................................................................................................................................ 581 Viewing the List of Assigned APs.............................................................................................................................581 Maintaining the Radar List of APs........................................................................................................................... 582 Working with Radar Reports..................................................................................................................................... 593 Chapter 17: Working with Location Engine.......................................................................605 Location Engine Overview..........................................................................................................................................605 raft ExtremeWireless V10.41.06 User Guide 55 Table of Contents D Location Engine on the Controller..........................................................................................................................607 Deploying APs for Location Aware Services.....................................................................................................608 Conguring the Location Engine............................................................................................................................ 609 ExtremeLocation Support............................................................................................................................................619 Chapter 18: Working with Reports and Statistics..............................................................621 Application Visibility and Device ID.........................................................................................................................621 Viewing AP Reports and Statistics..........................................................................................................................627 Available Client Reports............................................................................................................................................... 642 Viewing Role Filter Statistics..................................................................................................................................... 646 Viewing Topology Reports......................................................................................................................................... 648 Viewing Mobility Reports............................................................................................................................................ 650 Viewing Controller Status Information..................................................................................................................654 Viewing Routing Protocol Reports..........................................................................................................................657 Viewing RADIUS Reports............................................................................................................................................660 Call Detail Records (CDRs).........................................................................................................................................663 Chapter 19: Performing System Administration................................................................669 Performing Wireless AP Client Management.................................................................................................... 669 Dening Wireless Assistant Administrators and Login Groups................................................................ 673 Chapter 20: Logs, Traces, Audits and DHCP Messages................................................... 676 ExtremeWireless Appliance Messages..................................................................................................................676 Working with Logs..........................................................................................................................................................676 Viewing Wireless AP Traces....................................................................................................................................... 684 Viewing Audit Messages..............................................................................................................................................684 Viewing the DHCP Messages.....................................................................................................................................685 Viewing the NTP Messages........................................................................................................................................ 686 Viewing Software Upgrade Messages...................................................................................................................687 Viewing Conguration Restore/Import Messages.......................................................................................... 689 Chapter 21: Working with GuestPortal Administration................................................... 690 About GuestPortals........................................................................................................................................................690 Adding New Guest Accounts....................................................................................................................................690 Enabling or Disabling Guest Accounts................................................................................................................. 693 Editing Guest Accounts................................................................................................................................................693 Removing Guest Accounts......................................................................................................................................... 694 Importing and Exporting a Guest File...................................................................................................................695 Viewing and Printing a GuestPortal Account Ticket......................................................................................698 Working with the Guest Portal Ticket Page.......................................................................................................700 Conguring Guest Password Patterns................................................................................................................... 701 Conguring Web Session Timeouts.......................................................................................................................704 Appendix A: Regulatory Information................................................................................. 705 ExtremeWireless APs 37XX , 38XX, and 39XX................................................................................................. 705 Appendix B: Default GuestPortal Ticket Page.................................................................. 706 Example Ticket Page..................................................................................................................................................... 706 raft Glossary.........................................................................................................................................709 ExtremeWireless V10.41.06 User Guide 66 Preface This section discusses the conventions used in this guide, ways to provide feedback, additional help, and other Extreme Networks publications. Text Conventions The following tables list text conventions that are used throughout this guide. Table 1: Notice Icons IIcon Notice Type Alerts you to... Helpful tips and notices for using the product. General Notice D Note Important features or instructions. Caution Warning New Content Risk of severe personal injury. Risk of personal injury, system damage, or loss of data. Displayed next to new content. This is searchable text within the PDF. raft Key names are written with brackets, such as [Return] or [Esc]. If you must press two or more keys simultaneously, the key names are linked with a plus sign (+). Example:

Press [Ctrl]+[Alt]+[Del]

When you see the word enter in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says type. This typeface indicates command syntax, or represents information as it appears on the screen. Italics emphasize a point or denote new terms at the place where they are dened in the text. Italics are also used when referring to publication titles. Description New!

Table 2: Text Conventions Convention Screen displays The words eenter and type

[Key] names Words in italicized type Safety Information Dangers Replace the power cable immediately if it shows any sign of damage. Replace any damaged safety equipment (covers, labels and protective cables) immediately. ExtremeWireless V10.41.06 User Guide 7 Preface Use only original accessories or components approved for the system. Failure to observe these instructions may damage the equipment or even violate safety and EMC regulations. Only authorized Extreme Networks service personnel are permitted to service the system. Warnings This device must not be connected to a LAN segment with outdoor wiring. Ensure that all cables are run correctly to avoid strain. Replace the power supply adapter immediately if it shows any sign of damage. Disconnect all power before working near power supplies unless otherwise instructed by a maintenance procedure. Exercise caution when servicing hot swappable components: power supplies or fans. Rotating fans can cause serious personal injury. replaced only by an identical battery or one recommended by the manufacturer. Always dispose of lithium batteries properly. Do not attempt to lift objects that you think are too heavy for you. This unit may have more than one power supply cord. To avoid electrical shock, disconnect all power D supply cords before servicing. In the case of unit failure of one of the power supply modules, the module can be replaced without interruption of power to the ExtremeWireless Appliance. However, this procedure must be carried out with caution. Wear gloves to avoid contact with the module, which will be extremely hot. There is a risk of explosion if a lithium battery is not correctly replaced. The lithium battery must be Cautions Check the nominal voltage set for the equipment (operating instructions and type plate). High voltages capable of causing shock are used in this equipment. Exercise caution when measuring high voltages and when servicing cards, panels, and boards while the system is powered on. raft Lay cables so as to prevent any risk of them being damaged or causing accidents, such as tripping. To protect electrostatic sensitive devices (ESD), wear a wristband before carrying out any work on Only use tools and equipment that are in perfect condition. Do not use equipment with visible hardware. damage. Sicherheitshinweise Gefahrenhinweise Sollte das Netzkabel Anzeichen von Beschdigungen aufweisen, tauschen Sie es sofort aus. Tauschen Sie beschdigte Sicherheitsausrstungen (Abdeckungen, Typenschilder und Schutzkabel) sofort aus. Verwenden Sie ausschlielich Originalzubehr oder systemspezisch zugelassene Komponenten. Die Nichtbeachtung dieser Hinweise kann zur Beschdigung der Ausrstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften fhren. Das System darf nur von autorisiertem Extreme Networks-Servicepersonal gewartet werden. ExtremeWireless V10.41.06 User Guide 88 Preface Warnhinweise Dieses Gert darf nicht ber Auenverdrahtung an ein LAN-Segment angeschlossen werden. Stellen Sie sicher, dass alle Kabel korrekt gefhrt werden, um Zugbelastung zu vermeiden. Sollte das Netzteil Anzeichen von Beschdigung aufweisen, tauschen Sie es sofort aus. Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der Stromversorgung vornehmen, sofern dies nicht fr eine Wartungsprozedur anders verlangt wird. Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fhigen Wireless Controller-Komponenten

(Stromversorgungen oder Lftern) Servicearbeiten durchfhren. Rotierende Lfter knnen ernsthafte Verletzungen verursachen. Dieses Gert ist mglicherweise ber mehr als ein Netzkabel angeschlossen. Um die Gefahr eines elektrischen Schlages zu vermeiden, sollten Sie vor Durchfhrung von Servicearbeiten alle Netzkabel trennen. Falls eines der Stromversorgungsmodule ausfllt, kann es ausgetauscht werden, ohne die Stromversorgung zum Wireless Controller zu unterbrechen. Bei dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann extrem hei sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden. D Achten Sie bei Lithium-Batterien auf die ordnungsgeme Entsorgung. Versuchen Sie niemals, ohne Hilfe schwere Gegenstnde zu heben. Bei unsachgemem Austausch der Lithium-Batterie besteht Explosionsgefahr. Die Lithium-Batterie darf nur durch identische oder vom Hndler empfohlene Typen ersetzt werden. Vorsichtshinweise berprfen Sie die fr die Ausrstung festgelegte Nennspannung (Bedienungsanleitung und Typenschild). Diese Ausrstung arbeitet mit Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden ist. Gehen Sie mit groer Vorsicht vor, wenn Sie bei eingeschaltetem System Hochspannungen messen oder Karten, Schalttafeln und Baugruppen warten. Verwenden Sie nur Werkzeuge und Ausrstung in einwandfreiem Zustand. Verwenden Sie keine raft Verlegen Sie Leitungen so, dass sie keine Unfallquelle (Stolpergefahr) bilden und nicht beschdigt Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um elektrostatisch gefhrdete Bauelemente (EGB) vor Beschdigungen zu schtzen. Ausrstung mit sichtbaren Beschdigungen. werden. Consignes De Scurit Dangers Si le cordon de raccordement au secteur est endommag, remplacez-le immdiatement. Remplacez sans dlai les quipements de scurit endommags (caches, tiquettes et conducteurs de protection). Utilisez uniquement les accessoires d'origine ou les modules agrs spciques au systme. Dans le cas contraire, vous risquez d'endommager l'installation ou d'enfreindre les consignes en matire de scurit et de compatibilit lectromagntique. Seul le personnel de service Extreme Networks est autoris maintenir/rparer le systme. ExtremeWireless V10.41.06 User Guide 99 Preface Avertissements Cet appareil ne doit pas tre connect un segment de LAN l'aide d'un cblage extrieur. Vriez que tous les cbles fonctionnent correctement pour viter une contrainte excessive. Si l'adaptateur d'alimentation prsente des dommages, remplacez-le immdiatement. Coupez toujours l'alimentation avant de travailler sur les alimentations lectriques, sauf si la procdure de maintenance mentionne le contraire. Prenez toutes les prcautions ncessaires lors de l'entretien/rparations des modules du Wireless Controller pouvant tre branchs chaud : alimentations lectriques ou ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves. Cette unit peut avoir plusieurs cordons d'alimentation.Pour viter tout choc lectrique, dbranchez tous les cordons d'alimentation avant de procder la maintenance.En cas de panne d'un des modules d'alimentation, le module dfectueux peut tre chang sans teindre le Wireless Controller. Toutefois, ce remplacement doit tre effectu avec prcautions. Portez des gants pour viter de toucher le module qui peut tre trs chaud. D Sa mise au rebut doit tre conforme aux prescriptions en vigueur. N'essayez jamais de soulever des objets qui risquent d'tre trop lourds pour vous. Le remplacement non conforme de la batterie au lithium peut provoquer une explosion. Remplacez la batterie au lithium par un modle identique ou par un modle recommand par le revendeur. Prcautions Contrlez la tension nominale paramtre sur l'installation (voir le mode d'emploi et la plaque signaltique). Des tensions leves pouvant entraner des chocs lectriques sont utilises dans cet quipement. Lorsque le systme est sous tension, prenez toutes les prcautions ncessaires lors de la mesure des hautes tensions et de l'entretien/rparation des cartes, des panneaux, des plaques. N'utilisez que des appareils et des outils en parfait tat. Ne mettez jamais en service des appareils raft Acheminez les cbles de manire ce qu'ils ne puissent pas tre endommags et qu'ils ne constituent pas une source de danger (par exemple, en provoquant la chute de personnes). We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about:

Content errors or confusing or conicting information. Ideas for improvements to our documentation so you can nd the information you need faster. Broken links or usability issues. Pour protger les dispositifs sensibles l'lectricit statique, portez un bracelet antistatique lors du prsentant des dommages visibles. travail sur le matriel. Providing Feedback to Us If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online feedback form. You can also email us directly at internalinfodev@extremenetworks.com. ExtremeWireless V10.41.06 User Guide 110 Preface Getting Help If you require assistance, contact Extreme Networks using one of the following methods:

GGTAC (Global Technical Assistance Center) for Immediate Support Phone: 1-800-998-2408 (toll-free in U.S. and Canada) or +1 408-579-2826. For the support phone number in your country, visit: www.extremenetworks.com/support/contact Email: support@extremenetworks.com. To expedite your message, enter the product name or model number in the subject line. Extreme Portal Search the GTAC knowledge base, manage support cases and service contracts, download software, and obtain product licensing, training, and certications. information) problem) Network load at the time of trouble (if known) The device history (for example, if you have returned the device before, or if this is a recurring The Hub A forum for Extreme customers to connect with one another, answer questions, and share ideas and feedback. This community is monitored by Extreme Networks employees, but is not intended to replace specic guidance from GTAC. Before contacting Extreme Networks for technical support, have the following information ready:

Your Extreme Networks service contract number and/or serial numbers for all involved Extreme D Networks products A description of the failure A description of any action(s) already taken to resolve the problem A description of your network environment (such as layout, cable type, other relevant environmental raft www.extremenetworks.com/support/documentation-archives/

www.extremenetworks.com/support/release-notes www.extremenetworks.com/documentation/

Current Product Documentation Archived Documentation (for earlier versions and legacy products) Release Notes Any related RMA (Return Material Authorization) numbers To nd Extreme Networks product guides, visit our documentation pages at:

Open Source Declarations Some software les have been licensed under certain open source licenses. More information is available at: www.extremenetworks.com/support/policies/software-licensing. Extreme Networks Documentation ExtremeWireless V10.41.06 User Guide 11 1 About This Guide WWho Should Use This Guide How to Use This Guide This guide describes how to install, congure, and manage the Extreme Networks ExtremeWireless software. This guide is also available as an online help system. To access the online help, click Help in the ExtremeWireless Assistant top menu bar. How to Use This Guide Who Should Use This Guide D For... This guide is a reference for system administrators who install and manage the ExtremeWireless system. An overview of the product, its features and functionality. To locate information about various subjects in this guide, refer to the following table. Any administrator performing tasks described in this guide must have an account with administrative privileges. raft Conguring the ExtremeWireless Appliance on page 31 Conguring the ExtremeWireless APs on page 101 Overview of the ExtremeWireless Solution on page 14 Conguring Topologies on page 262 Conguring Roles on page 284 Refer to... Information about how to perform the installation, rst time setup and conguration of the controller, as well as conguring the data ports and dening routing. Information on how to install the ExtremeWireless AP, how it discovers and registers with the controller, and how to view and modify radio conguration. An overview of topologies and provides detailed information about how to congure them. An overview of roles and provides detailed information about how to congure them. An overview of WLAN (Wireless Local Area Network) services and provides detailed information about how to congure them. An overview of Virtual Network Services (VNS), provides detailed instructions in how to congure a VNS, either using the Wizards or by manually creating the component parts of a VNS. Information about conguring CoS (Class of Service) which are a conguration entity containing QoS Marking (802.1p and ToS/

DSCP), Inbound/Outbound Rate Limiting and Transmit Queue Assignments. Conguring WLAN Services on page 318 Conguring a VNS on page 390 Conguring Classes of Service on page 487 ExtremeWireless V10.41.06 User Guide 12 About This Guide FFor... Information about conguring Sites which is a mechanism for grouping APs and refers to specic Roles, Classes of Service

(CoS) and RADIUS servers that are grouped to form a single conguration. Refer to... Conguring Sites on page 494 An overview of Mesh networks and provides detailed information about how to create a Mesh network. Working with a Mesh Network on page 502 An overview of a Wireless Distribution System (WDS) network conguration and provides detailed information about how to create a Mesh network. Working with a Wireless Distribution System on page 518 Information on how to set up the features that maintain service availability in the event of a controller failover. Availability and Session Availability on page 537 Conguring Mobility on page 555 Information on how to set up the mobility domain that provides mobility for a wireless device user when the user roams from one ExtremeWireless AP to another in the mobility domain. D Information on how to use the ExtremeWireless AP features with third-party wireless access points. Information on the security tool that scans for, detects, provides countermeasures, and reports on rogue APs. Information on the various reports and displays available in the system. Information on system administration activities, such as performing ExtremeWireless AP client management, dening management users, conguring the network time, and conguring Web session timeouts. Information on how to view and interpret the logs, traces, audits and DHCP (Dynamic Host Conguration Protocol) messages. Working with Third-party APs on page 561 Performing System Administration on page 669 Working with Reports and Statistics on page 621 Working with ExtremeWireless Radar on page 563 raft Glossary terms are displayed as links in the text. Hover over a glossary term to display the denition, or click the link to go to the Glossary. Working with GuestPortal Administration on page 690 Logs, Traces, Audits and DHCP Messages on page 676 Default GuestPortal Ticket Page on page 706 Regulatory Information on page 705 A list of terms and denitions for the ExtremeWireless Appliance and the ExtremeWireless AP as well as standard industry terms used in this guide. Regulatory information for the ExtremeWireless Appliances and the ExtremeWireless APs. Information on how to congure GuestPortal accounts. The default GuestPortal ticket page source code. ExtremeWireless V10.41.06 User Guide 13 2 Overview of the ExtremeWireless Solution IIntroduction Conventional Wireless LANs Elements of the ExtremeWireless Solution ExtremeWireless and Your Network ExtremeWireless Appliance Product Family Introduction D The ExtremeWireless system is a highly scalable Wireless Local Area Network (WLAN) solution. Based on a third generation WLAN topology, the ExtremeWireless system makes wireless practical for service providers as well as medium and large-scale enterprises. The next generation of wireless networking devices provides a truly scalable WLAN (Wireless Local Area Network) solution. ExtremeWireless Access Points (APs, wireless APs) are t access points controlled through a sophisticated network device, the controller. This solution provides the security and manageability required by enterprises and service providers for huge industrial wireless networks. raft The ExtremeWireless controller provides a secure, highly scalable, cost-effective solution based on the IEEE 802.11 standard. The system is intended for enterprise networks operating on multiple oors in more than one building, and is ideal for public environments, such as airports and convention centers that require multiple access points. The ExtremeWireless Appliance is a network device designed to integrate with an existing wired Local Area Network (LAN). The rack-mountable controller provides centralized management, network access, and routing to wireless devices that use Wireless APs to access the network. It can also be congured to handle data traffic from third-party access points. This chapter provides an overview of the fundamental principles of the ExtremeWireless System. The ExtremeWireless Appliance The controller provides the following functionality:

Controls and congures Wireless APs, providing centralized management. Authenticates wireless devices that contact a Wireless AP. Assigns each wireless device to a VNS when it connects. Routes traffic from wireless devices, using VNS, to the wired network. Applies ltering roles to the wireless device session. Provides session logging and accounting capability. ExtremeWireless V10.41.06 User Guide 14 Overview of the ExtremeWireless Solution Conventional Wireless LANs Wireless communication between multiple computers requires that each computer be equipped with a receiver/transmittera WLAN Network Interface Card (NIC)capable of exchanging digital information over a common radio frequency. This is called an ad hoc network conguration. An ad hoc network conguration allows wireless devices to communicate together. This setup is dened as an independent basic service set (IBSS). An alternative to the ad hoc conguration is the use of an access point. This may be a dedicated hardware bridge or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard denes access point communications as devices that allow wireless devices to communicate with a distribution system. This setup is dened as a basic service set (BSS) or infrastructure network. To allow the wireless devices to communicate with computers on a wired network, the access points must be connected to the wired network providing access to the networked computers. This topology is called bridging. With bridging, security and management scalability is often a concern. D raft Figure 1: Standard Wireless Network Solution Example The wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used. Elements of the ExtremeWireless Solution The ExtremeWireless solution consists of two devices:

ExtremeWireless V10.41.06 User Guide 15 Overview of the ExtremeWireless Solution ExtremeWireless Appliance ExtremeWireless AP This architecture allows a single controller to control many APs, making the administration and management of large networks much easier. There can be several controllers in the network, each with a set of registered APs. The controllers can also act as backups to each other, providing stable network availability. In addition to the controllers and APs, the solution requires three other components, all of which are standard for enterprise and service provider networks:

RADIUS Server (Remote Access Dial-In User Service) or other authentication server DHCP (Dynamic Host Conguration Protocol) Server (Dynamic Host Conguration Protocol). If you do not have a DHCP Server on your network, you can enable the local DHCP Server on the controller. The local DHCP Server is useful as a general purpose DHCP Server for small subnets. For more information, see Setting Up the Data Ports on page 51. D SLP (Service Location Protocol) raft Figure 2: ExtremeWireless Appliance Solution As illustrated in ExtremeWireless Appliance Solution, the ExtremeWireless Appliance appears to the existing network as if it were an access point, but in fact one controller controls many APs. The controller has built-in capabilities to recognize and manage the APs. The controller:

ExtremeWireless V10.41.06 User Guide 16 Overview of the ExtremeWireless Solution Activates the APs Enables APs to receive wireless traffic from wireless devices Processes the data traffic from the APs Forwards or routes the processed data traffic out to the network Authenticates requests and applies access roles Simplifying the APs makes them cost-effective, easy to manage, and easy to deploy. Putting control on an intelligent centralized controller enables:

Centralized conguration, management, reporting, and maintenance High security Flexibility to suit enterprise Scalable and resilient deployments with a few controllers controlling hundreds of APs The ExtremeWireless system:

Scales up to Enterprise capacity ExtremeWireless Appliances are scalable:

D C5215 Up to 1000 APs, 2000 APs in Controller availability mode C5210 Up to 1000 APs, 2000 APs in Controller availability mode C5110 Up to 525 APs, 1050 APs in Controller availability mode C4110 Up to 250 APs, 500 APs in Controller availability mode C25 Up to 50 APs, 100 APs in Controller availability mode C35 Up to 125 APs, 250 APs in Controller availability mode V2110 (Small Prole) Up to 50 APs, 100 APs in Controller availability mode V2110 (Medium Prole) Up to 250 APs, 500 APs in Controller availability mode V2110 (Large Prole) Up to 525 APs, 1050 APs in Controller availability mode raft Integrates with existing network A controller can be added to an existing enterprise network as a new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the controllers and APs does not require any re-conguration of the existing infrastructure (for example, VLAN (Virtual LAN)s). In turn, each wireless AP can handle a mixture of secure and non-secure clients. AP per radio support is up to 200 clients, of which 127 are clients with security. With additional controllers, the number of wireless devices the solution can support can reach into the thousands. Integrates with the Extreme Networks Extreme Management Center Suite of products. For more information, see Extreme Networks Extreme Management Center Integration on page 18. Inventory Manager Plug-in applications include:

Automated Security Manager NAC Manager Role Control Console Policy Manager Offers centralized management and control An administrator accesses the controller in its centralized location to monitor and administer the entire wireless network. From the controller the administrator can recognize, congure, and manage the APs and distribute new software releases. Provides easy deployment of APs The initial conguration of the APs on the centralized controller can be done with an automatic discovery technique. ExtremeWireless V10.41.06 User Guide 17 Overview of the ExtremeWireless Solution Provides security via user authentication Uses existing authentication (AAA) servers to authenticate and authorize users. Provides security via lters and privileges Uses virtual networking techniques to create separate virtual networks with dened authentication and billing services, access roles, and privileges. Supports seamless mobility and roaming Supports seamless roaming of a wireless device from one wireless AP to another on the same controller or on a different controller. Integrates third-party access points Uses a combination of network routing and authentication techniques. Prevents rogue devices Unauthorized access points are detected and identied as either harmless or dangerous rogue APs. Provides accounting services Logs wireless user sessions, user group activity, and other activity reporting, enabling the generation of consolidated billing records. Extreme Networks Extreme Management Center Integration Offers troubleshooting capability Logs system and session activity and provides reports to aid in Offers dynamic RF management Automatically selects channels and adjusts Radio Frequency troubleshooting analysis. D

(RF) signal propagation and power levels without user intervention. The ExtremeWireless solution now integrates with the Extreme Management Center suite of products, a collection of tools to help you manage networks. Its client/server architecture lets you manage your network from a single workstation or, for networks of greater complexity, from one or more client workstations. It is designed to facilitate specic network management tasks while sharing data and providing common controls and a consistent user interface. raft The Extreme Management Center is a family of products comprising the Extreme Management Center Console and a suite of plug-in applications, including:

Automated Security Manager Automated Security Manager is a unique threat response solution that translates security intelligence into security enforcement. It provides sophisticated identication and management of threats and vulnerabilities. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide. NAC Manager NAC Manager is a leading-edge NAC solution to ensure only the right users have access to the right information from the right place at the right time. The Extreme Networks NAC solution performs multi-user, multi-method authentication, vulnerability assessment and assisted remediation. For information on how the ExtremeWireless solution integrates with the Extreme Networks NAC solution, see NAC Integration with the Wireless WLAN on page 24. details of the ever-changing network. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide . Inventory Manager Inventory Manager is a tool for efficiently documenting and updating the Policy Manager Policy Manager recognizes the ExtremeWireless suite as role capable devices that accept partial conguration from Policy Manager. Currently this integration is partial in the sense that Extreme Management Center is unable to create WLAN services directly; The WLAN services need to be directly provisioned on the controller and are represented to Policy Manager as logical ports. The ExtremeWireless Appliance allows Policy Manager to:

ExtremeWireless V10.41.06 User Guide 18 Overview of the ExtremeWireless Solution Attach Topologies (assign VLAN to port) to the ExtremeWireless Appliance physical ports

(Console). Attach role to the logical ports (WLAN Service/SSID), Assign a Default Role/Role to a WLAN Service, thus creating the VNS. Perform authentication operations which can then reference dened roles for station-specic role enforcement. This can be seen as a three-step process:

1 Deploy the controller and perform local conguration The ExtremeWireless Appliance ships with a default SSID, attached by default to all AP radios, when enabled. Use the basic installation wizard to complete the ExtremeWireless Appliance conguration. Push the VLAN list to the ExtremeWireless Appliance (Topologies) Attach VLANs to ExtremeWireless Appliance physical ports (Console - Complete Topology 2 Use Policy Manager to:

D denition) Appliance for a bridged at controller or routed topologies and associated VNSs. 3 Fine tune controller settings. For example, conguring ltering at APs and ExtremeWireless Push RADIUS server conguration to the ExtremeWireless Appliance Push role denitions to the ExtremeWireless Appliance Attach the default role to create a VNS Note Complete information about integration with Policy Manager is outside the scope of this document. raft This section is a summary of the components of the ExtremeWireless solution on your enterprise network. The following are described in detail in this guide, unless otherwise stated:

ExtremeWireless Appliance A rack-mountable network device or virtual appliance that provides centralized control over all access points and manages the network assignment of wireless device clients associating through access points. Wireless AP A wireless LAN t access point that communicates with a controller. RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server An authentication server that assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Portal security modes. The RADIUS Server system can be set up for certain standard attributes, such as lter ID, and for the Vendor Specic Attributes (VSAs). In addition, RADIUS Disconnect (RFC3576) which permits dynamic adjustment of user role (user disconnect) is supported. ExtremeWireless and Your Network DHCP Server (Dynamic Host Conguration Protocol) (RFC2131) A server that assigns dynamically IP addresses, gateways, and subnet masks. IP address assignment for clients can be done by the DHCP server internal to the controller, or by existing servers using DHCP relay. It is also used by the APs to discover the location of the controller during the initial registration process using Options 43, 60, and Option 78. Options 43 and 60 specify the vendor class identier (VCI) and vendor specic ExtremeWireless V10.41.06 User Guide 19 Overview of the ExtremeWireless Solution information. Option 78 species the location of one or more SLP Directory Agents. For SLP, DHCP should have Option 78 enabled. Service Location Protocol (SLP) (SLP RFC2608) Client applications are User Agents and services that are advertised by a Service Agent. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Extreme Networks solution relies on registering Extreme Networks as an SLP Service Agent. Domain Name Server (DNS) A server used as an alternate mechanism (if present on the enterprise network) for the automatic discovery process. Controller, Access Points and Convergence Software relies on the DNS for Layer 3 deployments and for static conguration of the APs. The controller can be registered in DNS, to provide DNS assisted AP discovery. In addition, DNS can also be used for resolving RADIUS server hostnames. Web Authentication Server A server that can be used for external Captive Portal and external authentication. The controller has an internal Captive portal presentation page, which allows web authentication (web redirection) to take place without the need for an external Captive Portal server. RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866) A server that is required if RADIUS Accounting is enabled. D SNMP messages is enabled. Some features also require the denition of static routes. SNMP (Simple Network Management Protocol) A Manager Server that is required if forwarding Network Infrastructure The Ethernet switches and routers must be congured to allow routing Web Browser A browser provides access to the controller Management user interface to congure between the various services noted above. Routing must also be enabled between multiple controllers for the following features to operate successfully:

Availability Mobility ExtremeWireless Radar for detection of rogue access points raft Zone Integrity The Zone integrity server enhances network security by ensuring clients accessing your network are compliant with your security roles before gaining access. Zone Integrity Release 5 is supported. SSH Enabled Device A device that supports Secure Shell (SSH) is used for remote (IP) shell access

(Optional) Online Signup Server For use with Hotspot Networks. the ExtremeWireless system. to the system. Network Traffic Flow Figure 3 illustrates a simple conguration with a single controller and two APs, each supporting a wireless device. A RADIUS server on the network provides authentication, and a DHCP server is used by the APs to discover the location of the controller during the initial registration process. Network inter-

connectivity is provided by the infrastructure routing and switching devices. ExtremeWireless V10.41.06 User Guide 20 Overview of the ExtremeWireless Solution D Figure 3: Traffic Flow Diagram Each wireless device sends IP packets in the 802.11 standard to the AP. The AP uses a UDP (User Datagram Protocol) based tunnelling protocol. In tunneled mode of operation, it encapsulates the packets and forwards them to the controller. The controller decapsulates the packets and routes these to destinations on the network. In a typical conguration, access points can be congured to locally bridge traffic (to a congured VLAN) directly at their network point of attachment. raft The controller functions like a standard L3 router or L2 switch. It is congured to route the network traffic associated with wireless connected users. The controller can also be congured to simply forward traffic to a default or static route if dynamic routing is not preferred or available. The Extreme Networks ExtremeWireless system provides features and functionality to control network access. These are based on standard wireless network security practices. Network Security Current wireless network security methods provide protection. These methods include:

Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys Open System that relies on Service Set Identiers (SSIDs) 802.1x that is compliant with Wi-Fi Protected Access (WPA) Captive Portal based on Secure Sockets Layer (SSL) protocol The Extreme Networks ExtremeWireless system provides the centralized mechanism by which the corresponding security parameters are congured for a group of users. Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks dened in the 802.11b standard ExtremeWireless V10.41.06 User Guide 21 Overview of the ExtremeWireless Solution Wi-Fi Protected Access version 1 (WPA1) with Temporal Key Integrity Protocol (TKIP) Wi-Fi Protected Access version 2 (WPA2) with Advanced Encryption Standard (AES) and Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP) Authentication The controller relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network). A RADIUS client is implemented to interact with infrastructure RADIUS servers. The controller provides authentication using:

Captive Portal a browser-based mechanism that forces users to a Web page RADIUS (using IEEE 802.1x) D The 802.1x mechanism is a standard for authentication developed within the 802.11 standard. This mechanism is implemented at the wireless port, blocking all data traffic between the wireless device and the network until authentication is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the controller and the RADIUS server. When 802.1x is used for authentication, the controller provides the capability to dynamically assign per-

wireless-device WEP keys (called per session WEP keys in 802.11). In the case of WPA, the controller is not involved in key assignment. Instead, the controller is involved in the information exchange between RADIUS server and the users wireless device to negotiate the appropriate set of keys. With WPA2 the material exchange produces a Pairwise Master Key which is used by the AP and the user to derive their temporal keys. (The keys change over time.) raft The Extreme Networks ExtremeWireless solution provide a RADIUS redundancy feature that enables you to dene a failover RADIUS server in the event that the active RADIUS server becomes unresponsive. Extreme Networks ExtremeWireless supports the Wired Equivalent Privacy (WEP) standard common to conventional access points. Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key

(PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2, using Advanced Encryption Standard (AES). Privacy Virtual Network Services Virtual Network Services (VNS) provide a versatile method of mapping wireless networks to the topology of an existing wired network. In releases prior to V7.0, a VNS was a collection of operational entities. Starting with Release V7.0, a VNS becomes the binding of reusable components:

ExtremeWireless V10.41.06 User Guide 222 Overview of the ExtremeWireless Solution WLAN Service components that dene the radio attributes, privacy and authentication settings, and QoS attributes of the VNS Role components that dene the topology (typically a VLAN), policy rules, and Class of Service applied to the traffic of a station. Figure 4 illustrates the transition of the concept of a VNS to a binding of reusable components. D raft WLAN Service components and Role components can be congured separately and associated with a VNS when the VNS is created or modied. Alternatively, they can be congured during the process of creating a VNS. Additionally, Roles can be created using the Extreme Networks Extreme Management Center Policy Manager or Extreme Management Center Wireless Manager and pushed to the ExtremeWireless Appliance. Role assignment ensures that the correct topology and traffic behavior are applied to a user regardless of WLAN service used or VNS assignment. Figure 4: VNS as a Binding of Reusable Components When VNS components are set up on the controller, among other things, a range of IP addresses is set aside for the controllers DHCP server to assign to wireless devices. If the OSPF (Open Shortest Path First) routing protocol is enabled, the controller advertises the routed topologies as reachable segments to the wired network infrastructure. The controller routes traffic between the wireless devices and the wired network. The controller also supports VLAN-bridged assignment for VNSs. This allows the controller to directly bridge the set of wireless devices associated with a WLAN service directly to a specied core VLAN. ExtremeWireless V10.41.06 User Guide 23 Overview of the ExtremeWireless Solution Each controller model can support a denable number and an active number of VNSs. See Table 3. 128 64 16 16 64 128 128 Max Number of Dened VNS Max Number of Dened WLAN Services Max Number of Active WLAN Services Table 3: VNS and WLAN Service Capacity CController Model C5110 C4110 C25 V2110 Small V2110 Medium V2110-HyperV 256 128 32 32 128 256 128 32 32 128 C5215 V2110 Large D C5210 C35 256 256 256 256 32 16 The AP3912 has three additional client ports that can be assigned to a single WLAN Service. For more information, see Assigning WLAN Services to Client Ports on page 170. The AP radios can be assigned to each of the congured WLAN services and, therefore, VNSs in a system. Each AP can be the subject of 16 service assignmentseight assignments per radiowhich corresponds to the number of SSIDs it can support. Once a radio has all eight slots assigned, it is no longer eligible for further assignment. 32 128 256 256 raft The Extreme Networks Wireless WLAN supports integration with a NAC (Network Admission Control) Gateway. The NAC Gateway can provide your network with authentication, registration, assessment, remediation, and access control for mobile users. Figure 5 depicts the topology and workow relationship between Wireless WLAN that is congured for external captive portal and a NAC Gateway. With this conguration, the NAC Gateway acts like a RADIUS proxy server. An alternative is to congure the NAC Gateway to perform MAC-based authentication itself, using its own database of MAC addresses and permissions. For more information, see Creating a NAC VNS Using the VNS Wizard on page 426. NAC Gateway integration with Wireless WLAN supports SSID VNSs when used in conjunction with MAC-based external captive portal authentication. NAC Integration with the Wireless WLAN ExtremeWireless V10.41.06 User Guide 24 Overview of the ExtremeWireless Solution D 11 The client laptop connects to the AP. Figure 5: WLAN and NAC Integration with External Captive Portal Authentication raft Note RADIUS servers with captive portal and EAP authentication can be tested for connectivity using the radtest command. For more information, see the ExtremeWireless CLI Guide. The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server. The AP determines that authentication is required, and sends an association request to the appliance. 3 The RADIUS server evaluates the access-request and sends an AccessAccept message back to the NAC. 2 The appliance forwards to the NAC Gateway an access-request message for the client laptop, which is identied by its MAC address. The NAC receives the access-accept packet. Using its local database, the NAC determines the correct role to apply to this client laptop and updates the access-accept packet with the role assignment. The updated AccessAccept message is forwarded to the appliance and AP. 4 The appliance and the AP apply role against the client laptop accordingly. The appliance assigns a set of lters to the client laptops session and the AP allows the client laptop access to the network. 5 The client laptop interacts with a DHCP server to obtain an IP address. 6 Eventually the client laptop uses its web browser to access a website. The appliance determines that the target website is blocked and that the client laptop still requires authentication. ExtremeWireless V10.41.06 User Guide 25 Overview of the ExtremeWireless Solution The appliance sends an HTTP redirect to the client laptops browser. The redirect sends the browser to the web server on the NAC Gateway. The NAC displays an appropriate web page in the client laptops browser. The contents of the page depend on the current role assignment (enterprise, remediation, assessing, quarantine, or unregistered) for the MAC address. 77 When the NAC determines that the client laptop is ready for a different role assignment, it sends a disconnect message (RFC 3576) to the appliance. When the appliance receives the disconnect message sent by the NAC, the appliance terminates the session for the client laptop. The appliance forwards the command to terminate the client laptops session to the AP, which disconnects the client laptop. Topology VNS Components D The distinct constituent high-level congurable umbrella elements of a VNS are:

Topology Role Classes of Service WLAN Service Topologies represent the networks with which the controller and its APs interact. The main congurable attributes of a topology are:

Name - a string of alphanumeric characters designated by the administrator. VLAN ID - the VLAN identier as specied in the IEEE 802.1Q denition. VLAN tagging options. Port of presence for the topology on the controller. (This attribute is not required for Routed and raft Physical - the topology is the native topology of a data plane and it represents the actual Ethernet ports Management - the native topology of the controller management port Routed - the controller is the routing gateway for the routed topology. Bridged at Controller - the user traffic is bridged (in the L2 sense) between wireless clients and the core network infrastructure. Bridged at AP - the user traffic is bridged locally at the AP without being redirected to the controller Interface. This attribute is the IP (L3) address assigned to the controller on the network described by Type. This attribute describes how traffic is forwarded on the topology. Options are:

Bridged at AP topologies.) the topology. (Optional.) Exception Filters. Species which traffic has access to the controller from the wireless clients or the infrastructure network. Certicates. ExtremeWireless V10.41.06 User Guide 26 Overview of the ExtremeWireless Solution Multicast lters. Denes the multicast groups that are allowed on a specic topology segment. For information about Topology groups, see Creating a Topology Group on page 270. Role A Role is a collection of attributes and rules that determine actions taken user traffic accesses the wired network through the WLAN service (associated to the WLAN Service's SSID). Depending upon its type, a VNS can have between one and three Authorization Roles associated with it:

1 Default non-authorized role This is a mandatory role that covers all traffic from stations that have not authenticated. At the administrator's discretion the default non-authorized role can be applied to the traffic of authenticated stations as well. 2 Default authorized role This is a mandatory role that applies to the traffic of authenticated stations Classes of Service for which no other role was explicitly specied. It can be the same as the default non-authorized role. 3 Third-party AP role This role applies to the list of MAC addresses corresponding to the wired interfaces of third party APs specically dened by the administrator to be providing the RF access as an AP WLAN Service. This role is only relevant when applied to third party AP WLAN Services. D In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to a specic role is permitted. The CoS denes actions to be taken when rate limits are exceeded. raft All incoming packets may follow these steps to determine a CoS:

Classication - identies the rst matching rule that denes a CoS. Marking - modies the L2 802.1p and/or L3 ToS based on CoS denition. Rate limiting (drop) is set. A WLAN Service represents all the RF, authentication and QoS attributes of a wireless access service offered by the controller and its APs. A WLAN Service can be one of the following types:

Standard A conventional service. Only APs running ExtremeWireless software can be part of this WLAN Service. This type of service can be used as a Bridged at Controller, Bridged at AP, or Routed Topology. This type of service provides access for mobile stations. Roles can be associated with this type of WLAN service to create a VNS. Hotspot can be enabled for standard WLAN services. The system limit for the number of CoS proles on a controller is identical to the number of roles. For example, the maximum number of CoS proles on a C4110 is 512. WLAN Services Third Party AP A Wireless Service offered by third party APs. This type of service provides access for mobile stations. Roles can be assigned to this type of WLAN service to create a VNS. Dynamic Mesh and WDS (Static Mesh) This is to congure a group of APs organized into a hierarchy for purposes of providing a Wireless Distribution Service. This type of service is in essence ExtremeWireless V10.41.06 User Guide 27 Overview of the ExtremeWireless Solution a wireless trunking service rather than a service that provides access for stations. As such, this service cannot have roles attached to it. Remote A service that resides on the edge (foreign) controller. Pairing a remote service with a remoteable service on the designated home controller allows you to provision centralized WLAN Services in the mobility domain. This is known as centralized mobility. The components of a WLAN Service map to the corresponding components of a VNS in previous releases. The administrator makes an explicit choice of the type of authentication to use on the WLAN Service. If the choice of authentication option conicts with any other authentication or privacy choices, the WLAN Service cannot be enabled. Routing device traffic can be forwarded to the default gateway. Routing can be used on the controller to support the VNS denitions. Through the user interface you can congure routing on the controller to use one of the following routing techniques:

Static routes Use static routes to set the default route of a controller so that legitimate wireless D OSPF (version 2) (RFC2328) Use OSPF to allow the controller to participate in dynamic route Next-hop routing Use next-hop routing to specify a unique gateway to which traffic on a VNS is forwarded. Dening a next-hop for a VNS forces all the traffic in the VNS to be forwarded to the indicated network device, bypassing any routing denitions of the controller's route table. selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing information summarization and propagation. Static Route denition and OSPF dynamic learning can be combined, and the precedence of a static route denition over dynamic rules can be congured by selecting or clearing the Override dynamic routes option check box. raft In typical simple congurations, APs are set up as bridges that bridge wireless traffic to the local subnet. In bridging congurations, the user obtains an IP address from the same subnet as the AP, assuming no VLAN trunking functionality. If the user roams between APs on the same subnet, it is able to keep using the same IP address. However, if the user roams to another AP outside of that subnet, its IP address is no longer valid. The user's client device must recognize that the IP address it has is no longer valid and re-negotiate a new one on the new subnet. This mechanism does not mandate any action on the user. The recovery procedure is entirely client device dependent. Some clients automatically attempt to obtain a new address on roam (which affects roaming latency), while others will hold on to their IP address. This loss of IP address continuity seriously affects the client's experience in the network, because in some cases it can take minutes for a new address to be negotiated. Mobility and Roaming The Extreme Networks ExtremeWireless solution centralizes the user's network point of presence, therefore abstracting and decoupling the user's IP address assignment from that of the APs location subnet. That means that the user is able to roam across any AP without losing its own IP address, regardless of the subnet on which the serving APs are deployed. In addition, a controller can learn about other controllers on the network and then exchange client session information. This enables a wireless device user to roam seamlessly between different APs on different controllers. ExtremeWireless V10.41.06 User Guide 28 Overview of the ExtremeWireless Solution Network Availability The Extreme Networks ExtremeWireless solution provides availability against AP outages, controller outages, and even network outages. The controller in a VLAN bridged topology can potentially allow the user to retain the IP address in a failover scenario, if the VNS/VLAN is common to both controllers. For example, availability is provided by dening a paired controller conguration by which each peer can act as the backup controller for the other's APs. APs in one controller are allowed to fail over and register with the alternate controller. If the primary controller fails, all of its associated APs can automatically switch over to another controller that has been dened as the secondary or backup controller. If an AP reboots, the primary controller is restored if it is active. However, active APs will continue to be connected to the backup controller until the administrator releases them back to the primary home controller. Quality of Service (QoS) D IP ToS (Type of Service) or DSCP (Diffserv Codepoint) The ToS/DSCP eld in the IP header of a frame indicates the priority and class of service for each frame. Adaptive QoS ensures correct priority handling of client payload packets tunneled between the controller and AP by copying the IP ToS/DSCP setting from client packet to the header of the encapsulating tunnel packet. Extreme Networks ExtremeWireless solution provides advanced Quality of Service (QoS) management to provide better network traffic ow. Such techniques include:

WMM (Wi-Fi Multimedia) WMM is enabled per WLAN service. The controller provides centralized management of the AP features. For devices with WMM enabled, the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority traffic. WMM is part of the 802.11e standard for QoS. In the context of the ExtremeWireless Solution, the ToS/DSCP eld is used for classication and proper class of service mapping, output queue selection, and priority tagging. raft Quality of Service (QoS) management is also provided by:

Assigning high priority to a WLAN service Adaptive QoS (automatic and all time feature) Support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice traffic Role denition, the user can specify (default) role that includes Ingress and Egress rate control. Ingress rate control applies to traffic generated by wireless clients and Egress rate control applies to traffic targeting specic wireless clients. The bit-rates can be congured as part of globally available proles which can be used by any particular conguration. A global default is also dened. Rate Control Rate Control for user traffic can also be considered as an aspect of QoS. As part of

(congurable) ExtremeWireless Appliance Product Family The ExtremeWireless Appliance is available in the following product families:

ExtremeWireless V10.41.06 User Guide 29 Overview of the ExtremeWireless Solution Table 4: ExtremeWireless Product Families EExtremeWireless Appliance Model Specications Number C5110 C4110 C25 V2110 C35 C5210/C5215 D Three data ports supporting up to 525 APs 2 ber optic SR (10Gbps) 1 Ethernet port GigE One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports two on each front and back panel (only one port active at a time) Redundant dual power supply unit Four data ports supporting up to 1000 APs 2 SFP+ (10Gbps) 2 Ethernet port GigE One management port (Ethernet) GigE One console port (RJ-45 serial) Five USB ports two on front and three on back panel (only one port active at a time) raft Redundant dual power supply unit Four GigE ports supporting up to 250 APs One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports (only one active at a time) Redundant dual power supply unit Two GigE ports supporting up to 50 APs One management port GigE One console port (DB9 serial) Two USB ports Two GigE ports or 10G ber ports supporting up to 525 APs One management port GigE USB ports (only one active at a time) Four GigE ports supporting up to 125 APs One management port GigE One console port Two USB ports ExtremeWireless V10.41.06 User Guide 30 3 Conguring the ExtremeWireless Appliance SSystem Conguration Overview Logging on to the ExtremeWireless Appliance Wireless Assistant Home Screen Working with the Basic Installation Wizard Conguring the ExtremeWireless Appliance for the First Time Using a Third-party Location-based Solution Additional Ongoing Operations of the System D System Conguration Overview The following section provides a high-level overview of the steps involved in the initial conguration of ExtremeWireless:

1 Before you begin the conguration process, research the type of WLAN (Wireless Local Area Network) deployment that is required. For example, topology and VLAN (Virtual LAN) IDs, SSIDs, security requirements, and lter roles. 2 Prepare the network servers. Ensure that the external servers, such as DHCP (Dynamic Host Conguration Protocol) and RADIUS servers (if applicable) are available and appropriately congured. raft 3 Install the controller. For more information, see the documentation for your controller. 4 Perform the rst time setup of the controller on the physical network, which includes conguring the c Congure the data port interfaces to be on separate VLANs, matching the VLANs congured in step 3 above. Ensure also that the tagged vs. untagged state is consistent with the switch port conguration. b To manage the controller through the interface congured above, select the Mgmt check box on a Create a new physical topology and provide the IP address to be the relevant subnet point of IP addresses of the interfaces on the controller. attachment to the existing network. the IInterfaces tab. d Congure the time zone. Because changing the time zone requires restarting the controller, it is recommended that you congure the time zone during the initial installation and conguration of ExtremeWireless V10.41.06 User Guide 31 Conguring the ExtremeWireless Appliance the controller to avoid network interruptions. For more information, see Conguring Network Time on page 89. e Apply an activation key le. If an activation key is not applied, the controller functions with some features enabled in demonstration mode. Not all features are enabled in demonstration mode. For example, mobility is not enabled and cannot be used. CCaution Whenever the licensed region changes on the ExtremeWireless Appliance, all APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements. If this occurs, all manually congured radio channel settings will be lost.Installing the new license key before upgrading will prevent the ExtremeWireless Appliance from changing the licensed region, and in addition, manually congured channel settings will be maintained. For more information, see the ExtremeWireless Maintenance Guide. 5 Congure the controller for remote access:

D a Set up an administration station (laptop) on subnet 192.168.10.0/24. By default, the controller's network. Management interface is congured with the static IP address 192.168.10.1. For more information, see Conguring the ExtremeWireless Appliance for the First Time on page 45. b Congure the controllers management interface. c Congure the data interfaces. d Set up the controller on the network by conguring the physical data ports. e Congure the routing table. f Congure static routes or OSPF (Open Shortest Path First) parameters, if appropriate to the raft points of network attachment, and therefore VLANs and port assignments need to be coordinated with the corresponding network switch ports. For more information, see Conguring a Basic Data Port Topology on page 266. corresponding network point. Roles dene user access rights (ltering or ACL (Access Control List)) Polices reference user's rate control prole. For more information, see Conguring Roles on page 284. 7 Congure roles. Roles are typically bound to topologies. Role application assigns user traffic to the 6 Congure the traffic topologies your network must support. Topologies represent the controllers 8 Congure WLAN services. Dene SSID and privacy settings for the wireless link. Select the set of APs/Radios on which the service is present. Congure the method of credential authentication for wireless users (None, Internal CP, External CP, GuestPortal, 802.1x[EAP]) For more information, see Conguring WLAN Services on page 318. 9 Create the VNSs. A VNS binds a WLAN Service to a Role that will be used for default assignment upon a users network attachment. ExtremeWireless V10.41.06 User Guide 32 Conguring the ExtremeWireless Appliance You can create topologies, roles, and WLAN services rst, before conguring a VNS, or you can select one of the wizards (such as the VNS wizard), or you can simply select to create new VNS. The VNS page then allows for in-place creation and denition of any dependency it may require, such as:

Creating a new WLAN Service Creating a new role Creating a new class of service (within a role) Creating a new topology (within a role) Creating new rate controls, and other Class of Service parameters The default shipping conguration does not ship any pre-congured WLAN Services, VNSs, or Roles. Conrm the latest rmware version is loaded. For more information, see Performing AP Software 10 Install, register, and assign APs to the VNS. D Maintenance on page 235. Deploy APs to their corresponding network locations. If applicable, congure a default AP template for common radio assignment, whereby APs Connect the APs to the controller. Once the APs are powered on, they automatically begin the Discovery process of the controller, automatically receive complete conguration. For typical deployments where all APs are to have the same conguration, this feature will expedite deployment, as an AP will automatically receive full conguration (including VNS-related assignments) upon initial registration with the controller. If applicable, modify the properties or settings of the APs. For more information, see Conguring the ExtremeWireless APs on page 101. raft based on factors that include:

Their Registration mode (on the AAP Registration screen) The enterprise network services that will support the discovery process Start your Web browser (Internet Explorer version 11 or later, FireFox, or Chrome). See the Release Notes for the supported web browsers. 1 Logging on to the ExtremeWireless Appliance ExtremeWireless V10.41.06 User Guide 33 Conguring the ExtremeWireless Appliance 2 In the browser address bar, type the following, using the IP address of your controller:

https://192.168.10.1:5825 This launches the Wireless Assistant. The login screen displays. D 3 Type your user name and password and click Login . The WWireless Assistant Home screen displays. Note The default User Name is "admin". The default Password is "abc123". raft The WWireless Assistant Home screen provides real-time status information on the current state of the wireless network. Information is grouped under multiple functional areas, and the Wireless Assistant Home Screen provides a graphical representation of information related to the active APs (such as the number of wired packets, stations, and total APs). Navigate the Wireless Assistant using the top menu bar tabs. Figure 6: Wireless Assistant Top Menu Bar Wireless Assistant Home Screen The bottom status bar displays the type and description of the current wireless controller, user and admin login status, ash status, software version and the number of admin users currently logged into the controller. ExtremeWireless V10.41.06 User Guide 34 Conguring the ExtremeWireless Appliance Figure 7: Wireless Assistant Home Screen Table 5 describes the panes on the WWireless Assistant Home Screen. raft ExtremeWireless V10.41.06 User Guide 35 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen HHome Screen Heading Description Network Status D the All Active Client report. Includes real-time totals for the following components. Click the number displayed to display additional information, such as name, serial number, and IP address. Local APs - total number of active or inactive local congured APs. Foreign APs - total number of active or inactive foreign congured APs. Availability pair must be congured to display additional information. Pending APs - total APs pending verication. Load Groups - total active load groups. Click to display the Active Wireless Load Groups report. Active Client report. Local Stations - total number of active mobile stations. Click to display the All Local & Foreign - total number of active and foreign stations. Click to display settings. SSH or serial console ones) Read/Write sessions. settings (Stand-alone, Paired, Fast Failover FFO). VNS - total dened VNSs (enabled and disabled). Click to display the total number of enabled and disabled VNS assignments, respectively, congured on the system. Mobility Tunnels - status of the mobility tunnel. Click to display controller Availability - status of the controller availability. Click to display controller Read-only sessions - total number of currently active GUI and CLI (either SSH Displays information on the total number of recent administrative activities including:

Read/Write sessions - total number of currently active GUI and CLI (either raft sessions that can only be achieved through the GUI. Auth Type - lists the presently congured login mode. Click each heading to access the Wireless Controller > Login Management screen. For more information, see Conguring the Login Authentication Mode on page 75. Displays a graphical representation of the total number of active stations grouped by protocol. Click the Stations by Protocol heading to access the All Active Clients Report. For more information, see Viewing Statistics for APs on page 627. Guest Access sessions - total number of currently active GuestPortal Manager or serial console ones) Read only sessions. Displays a graphical representation of the total number of active stations and the number of APs. Click the APs by Channel heading to access the Active Wireless AP Report. For more information, see Viewing Statistics for APs on page 627. Displays a graphical representation of the total number of active APs grouped by channel. Click the Status by AP heading to access the Active Clients by Wireless APs Report. For more information, see Viewing Statistics for APs on page 627. Admin Sessions Stations by Protocol APs by Channel Stations by AP ExtremeWireless V10.41.06 User Guide 36 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Applications by WLAN D If Application Visibility is enabled on the WWLAN Conguration screen, a pie chart displaying the top ve applications on that WLAN displays. If Application Visibility is not enabled, click Enable Application Visibility to display the Apps, operating systems, and devices used by clients. The Application Visibility option displays the following information for clients associated with a selected WLAN:

IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. For more information, see Enabling Application Visibility with Device Identication on page 626 and Device Identication on page 625. raft ExtremeWireless V10.41.06 User Guide 37 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Licensing Displays licensing information including:

License mode: License Manager can operate in Lone or Paired mode. Lone (standalone) - Only local APs are counted against locally installed capacity keys. ALL Radar In-Service and Guardian APs are counted against locally installed Radar keys. This is the default license mode. License Manager switches to Paired mode on the following conditions: Availability is enabled while License Manager is running and it receives a license request or Availability is enabled before the License Manger starts up and the database has counters for the peers capacity and Radar keys. D Paired - Both local and foreign APs are counted against sum of locally installed capacity keys and capacity keys, pooled from the peer controller. ALL Radar In-Service and Guardian APs are counted against sum or locally installed Radar keys, installed on the peer controller. License Manager switches to Lone (standalone) mode if Availability is disabled or if the peer IP address is changed. controller.

(backup) controller.

(backup) controller. information, see Applying Product License Keys on page 47). Unused AP Licenses: total number of unassigned AP licenses (for more Local Radar Licenses: total number of Radar licenses local to the primary Foreign Radar Licenses: total number of Radar licenses local to the secondary Local AP Licenses: total number of AP licenses local to the primary controller. Foreign AP Licenses: total number of AP licenses local to the secondary raft Days Remaining: number of days remaining on this license key. Regulatory Domain: Domain information for this license period. Click the Licensing heading to access the Wireless Controller > Software Maintenance screen. For more information, see Installing the License Keys on page 49. Displays network health statistics including:

Local AP Uptime (min) APs with > 30 clients APs in low power mode Unused Radar Licenses: total number of unassigned licenses for Radar (for more information, see Radar License Requirements on page 565). Health This feature is for AP39xx only. This option displays when there is one or more AP39xx in low power mode. Click to display details of the AP. Failed VNS RADIUS Txs Click each heading to access the Active Wireless APs Report. For more information, see Viewing Statistics for APs on page 627. ExtremeWireless V10.41.06 User Guide 38 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Radar Displays totals for the following security related statistics:

AP Remote Access - click to access the APs > AP Registration page Unsecured WLANs - click to access the WLAN Security Report Uncategorized APs - click to access the list of Uncategorized APs Active Threats - click to access the Active Threats Report Active Countermeasures - click to access the Active Countermeasures Report APs denied by license - click to access the list of APs denied by license constraints. For more information, see Wireless AP Registration on page 123, and Working with Radar Reports on page 593. Events D Displays major events that impact network performance and efficiency. Each event listed includes a timestamp of the event, the type or classication of the event, which component is impacted by the event, and a log message providing specic information for the event. Click the Events heading to access the Log > Logs & Traces page. For more information, see Working with Reports and Statistics on page 621. The Extreme Networks ExtremeWireless system provides a basic installation wizard that can help administrators congure the minimum controller settings that are necessary to deploy a functioning ExtremeWireless system solution on a network. raft Use the Basic Installation Wizard to quickly congure the controller for deployment, and later to revise the controller conguration as needed. The Basic Installation Wizard launches when you log on to the controller for the rst time and when the system has been reset to the factory default settings. You can also launch the wizard from the left pane of the controller CConguration screen anytime. 1 Log on to the controller. For more information, see Logging on to the ExtremeWireless Appliance on page 33. 2 From the top menu, click Controller. The WWireless Controller Conguration screen displays. To congure the controller using the Basic Installation Wizard:

Working with the Basic Installation Wizard ExtremeWireless V10.41.06 User Guide 39 Conguring the ExtremeWireless Appliance 3 In the left pane, click Administration > Installation Wizard. The BBasic Installation Wizard screen displays. 4 In the Time Settings section, congure the controller timezone:

Continent or Ocean Select the continent for the time zone. Time Zone Region Select the appropriate time zone region for the selected continent. aft To manually set the controller time, click Set time. The Year, Month, Day, HR, and Min. elds display, where you can use the drop-down lists to specify the time values. To use the controller as the NTP time server, select the Run local NTP Server option. In the Server eld, enter the IP address or Domain Name for the NTP server. To use NTP to set the controller time, select the Use NTP option, and then type the IP address of 5 To congure the controllers time, do one of the following:

an NTP time server that is accessible on the enterprise network. The Network Time Protocol is a protocol for synchronizing the clocks of computer systems over packet-switched data networks. 6 In the Server eld, enter the IP address or Domain Name for the NTP server. Note The Server Address eld supports both IPv4 and IPv6 addresses. ExtremeWireless V10.41.06 User Guide 40 Conguring the ExtremeWireless Appliance 7 In the Topology Conguration section, the physical interface of the controller data port, the IP Address and Netmask values for the data port, and the VLAN ID display as read-only values. For information on how to obtain a temporary IP address from the network, click How to obtain a temporary IP address. 8 Click Next. The Management screen displays Basic Installation Wizard - Management Screen The MManagement screen displays:

1 In the AP Password section, enter a password for the AP. Click Unmask to display the password characters as you type. Access Points are shipped with default passwords. You must create a new SSH Access Password here. Note Passwords can include the following characters: A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Password cannot include the following characters: / ` ' " : or a space. ExtremeWireless V10.41.06 User Guide 41 Conguring the ExtremeWireless Appliance 2 In the Management Port section, conrm the port conguration values that were dened when the controller was physically deployed on the network. If applicable, edit these values:

Static IP Address Displays the IPv4 address for the controllers management port. Revise this as appropriate for the enterprise network. Netmask Displays the appropriate subnet mask for the IP address to separate the network portion from the host portion of the address. Gateway Displays the default gateway of the network. Static IPv6 Address Displays the IPv6 address for the controllers management port. Revise this as appropriate for the enterprise network. Prex Length Length of the IPv6 prex. Maximum is 64 bits. Gateway Displays the default gateway of the network. 3 In the SNMP section, click V2c or V3 in the Mode drop-down list to enable SNMP (Simple Network receive SNMP messages. If you selected V3, the Syslog Server options display:

Management Protocol), if applicable. If you selected V2c, the Community options display:

Read Community Type the password that is used for read-only SNMP communication. Write Community Type the password that is used for write SNMP communication. Trap Destination Type the IP address of the server used as the network manager that will D Enable Click to enable Syslog Server. IP Address Enter the IP address for the Syslog Server. Note The Trap Destination Address eld supports both IPv4 and IPv6 addresses. raft the controller to participate in dynamic route selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing information summarization and propagation. Do the following:

Area ID Type the desired area. Area 0.0.0.0 is the main area in OSPF. controller, if applicable. Syslog is a protocol used for the transmission of event notication messages across networks. In the IP Address eld, type the IP address of the syslog server. 4 In the OSPF section, select the Enable check box to enable OSPF, if applicable. Use OSPF to allow 5 In the Syslog Server section, select the Enable check box to enable the syslog protocol for the Note The Syslog Server IP Address eld supports both IPv4 and IPv6 addresses. 6 Click Next. The Services screen displays. ExtremeWireless V10.41.06 User Guide 42 Conguring the ExtremeWireless Appliance Basic Installation Wizard - Services Screen aft In the RADIUS section, select the Enable check box to enable RADIUS login authentication, if applicable. RADIUS login authentication uses a RADIUS server to authenticate user login attempts. RADIUS is a client/server authentication and authorization access protocol used by a network access server

(NAS) to authenticate users attempting to connect to a network device. 1 Do the following:

Server Alias Type a name that you want to assign to the RADIUS server. You can type a name or IP address of the server. IP Address Type the RADIUS server's hostname or IP address. Shared Secret Type the password that will be used to validate the connection between the controller and the RADIUS server. ExtremeWireless V10.41.06 User Guide 443 Conguring the ExtremeWireless Appliance 2 In the Mobility section, select the Enable check box to enable the controller mobility feature, if applicable. Mobility allows a wireless device user to roam seamlessly between different APs on the same or different controllers. A dialog informs you that NTP is required for the mobility feature and prompts you to conrm you want to enable mobility. NNote If the ExtremeWireless Appliance is congured as a mobility agent, it will act as an NTP client and use the mobility manager as the NTP server. If the appliance is congured as a mobility manager, its local NTP will be enabled for the mobility domain. 3 Click OK to continue, and then do the following:

Role Select the role for the controller, Manager or Agent. One controller on the network is designated as the mobility manager and all other controllers are designated as mobility agents. Port Click the interface on the controller to be used for communication between mobility manager and mobility agent. Ensure that the selected interface is routable on the network. For more information, see Conguring Mobility on page 555. D the mobility agent. Manager IP Type the IP address of the mobility manager port if the controller is congured as 4 In the Default VNS section, select the Enable check box to enable a default VNS for the controller. Note Refer to Virtual Network Services on page 22 for more information about the default VNS. raft The default VNS parameters display. The Success screen displays. 5 Click Finish. Basic Installation Wizard - Success Screen ExtremeWireless V10.41.06 User Guide 44 Conguring the ExtremeWireless Appliance 1 We recommend that you change the factory default administrator password. aft 2 To change the administrator password:

a Type a new administrator password in the New Password. b Conrm the new password in the Conrm Password eld. c Click Save. Your new password is saved. 3 Click OK, and then click Close. NNote The ExtremeWireless Appliance reboots after you click Save if the time zone is changed during the Basic Install Wizard. If the IP address of the management port is changed during the conguration with the Basic Install Wizard, the ExtremeWireless Assistant session is terminated and you will need to log back in with the new IP address. The WWireless Assistant home screen displays. Conguring the ExtremeWireless Appliance for the First Time After the ExtremeWireless Appliance is deployed, perform the following conguration tasks:

ExtremeWireless V10.41.06 User Guide 45 Conguring the ExtremeWireless Appliance Changing the Administrator Password on page 46 Applying Product License Keys on page 47 Setting Up the Data Ports on page 51 Setting Up Internal VLAN ID and Multicast Support on page 58 Setting Up Static Routes on page 59 Setting Up OSPF Routing on page 61 Conguring Filtering at the Interface Level on page 65 Protecting Controller Interfaces and the Internal Captive Portal Page on page 69 Conguring the Login Authentication Mode on page 75 Conguring SNMP on page 85 Conguring Network Time on page 89 Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 94 The basic installation wizard automatically congures aspects of the controller deployment. You can modify that conguration according to your network specications. D Changing the Administrator Password Extreme Networks recommends that you change your default administrator password once your system is deployed. The ExtremeWireless Appliance default password is abc123. When the controller is installed and you elect to change the default password, the new password must be a minimum of eight characters. The minimum eight character password length is not applied to existing passwords. For example, if a six character password is already being used and an upgrade of the software is performed, the software does not require the password to be changed to a minimum of eight characters. However, once the upgrade is completed and a new account is created, or the password of an existing account is changed, the new password length minimum will be enforced. raft 1 2 In the left pane, click Login Management. 3 In the Full Administrator table, click the administrator user name. 4 In the Password eld, type the new administrator password. 5 In the Conrm Password eld, type the new administrator password again. 6 Click Change Password. To Change the Administrator Password:

From the top menu, click Controller. NNote The ExtremeWireless Controller provides you with local login authentication mode, the RADIUS-based login authentication mode, and combinations of the two authentication modes. The local login authentication is enabled by default. For more information, see Conguring the Login Authentication Mode on page 75. ExtremeWireless V10.41.06 User Guide 46 Conguring the ExtremeWireless Appliance Applying Product License Keys The controllers license system works on simple software-based key strings. A key string consists of a series of numbers and/or letters. Using these key strings, you can license the software, and enhance the capacity of the controller to manage additional APs. The key strings can be classied into the following variants:

Activation Key Activates the software. This key is further classied into sub-variants:

Temporary Activation Key Activates the software for a trial period of 90 days. Permanent Activation Key Activates the software for an innite period. Cloud provider license. Subscription license. NNote You must obtain a specic activation key to run release v10.01 or later. Once installed, the number of available Radar licenses increments by 2. D Option Key Activates the optional feature:

Capacity Enhancement Key Format For AP:

Enhances the capacity of the controller to manage additional APs. You may have to add multiple capacity enhancement keys to reach the ExtremeWireless's limit. Depending on the appliance model, a capacity enhancement key adds the following APs:

C5110 Adds 25 wireless APs C5210 Adds 25 or 100 wireless APs C5215 Adds 25 or 100 wireless APs C4110 Adds 25 wireless APs C25 Adds 1 or 16 wireless APs C35 Adds 1 or 16 wireless APs V2110 Adds 1 or 16 wireless APs raft Note If you connect additional wireless APs to an ExtremeWireless controller that has a permanent activation key without installing a capacity enhancement key, a grace period of seven days will start. You must install the correct key during the grace period. If you do not install the key, the controller will start generating event logs every 15 minutes, indicating that the key is required. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. Capacity Enhancement Key Format For Radar:

Enhances the capacity of the controller to manage Radar licenses for multiple APs. Radar capacity licenses are only required for In-Service Scan Proles (for more information, see Radar License Requirements on page 565). The capacity enhancement key includes a capacity increment which determines the number of APs supported as follows:

License format: RADCAP<nnn> (where <nnn> is the capacity increment):

RADCAP001 Adds 1 wireless AP RADCAP016 Adds 16 wireless APs ExtremeWireless V10.41.06 User Guide 47 Conguring the ExtremeWireless Appliance RADCAP025 Adds 25 wireless APs RADCAP100 Adds 100 wireless APs NNote Any AP assigned to an In-Service scan prole counts as 1 against the licensed Radar capacity. The controller can be in the following licensing modes:

Unlicensed When the controller is not licensed, it operates in demo mode. In demo mode, the controller allows you to operate as many APs as you want, subject to the maximum limit of the platform type. In demo mode, you can use only the b/g radio, with channels 6, 11, and auto. 11n support and Mobility are disabled in demo mode. Cloud Provider A Cloud Provider license is valid for a period of 5 years. License pooling is not Licensed with a temporary activation key A temporary activation key comes with a regulatory domain. With the temporary activation key, you can select a country from the domain and operate the APs on any channel permitted by the country. A temporary activation key allows you to use all software features. You can operate as many APs as you want, subject to the maximum limit of the platform type. D supported because the values are set at the platform limits. Cloud Provider licenses enable local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500. A temporary activation key is valid for 90 days. Once the 90 days are up, the temporary key expires. You must get a permanent activation key and install it on the controller. If you do not install a permanent activation key, the controller will start generating event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. raft period. In addition, unlike the temporary activation key, the permanent activation key allows you to operate a stipulated number of the APs, depending upon the platform type. If you want to connect additional APs, you have to install a capacity enhancement key. You may even have to install multiple capacity enhancement keys to reach the controllers limit. pooling is not supported because the values are set at the platform limits. A Subscription license enables local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500. Subscription A subscription license can be generated for a period between 1 to 255 days. License Licensed with permanent activation key A permanent activation key is valid for an innite The Table 6 lists the platform type and the corresponding number of the APs allowed by the permanent activation key. Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key Platform Wireless APs permitted by permanent activation key Platforms optimum limit Number of capacity enhancement keys to reach the optimum limit C25 C35 16 50 50 125 4 to 34 (depending on the enhancement license type used) 15 to 75 (depending on the enhancement license type used) ExtremeWireless V10.41.06 User Guide 48 Conguring the ExtremeWireless Appliance Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key

(continued) PPlatform Wireless APs permitted by permanent activation key Platforms optimum limit Number of capacity enhancement keys to reach the optimum limit C4110 C5110 C5210 C5215 50 150 100 100 V2110 (Small) 8 250 525 1000 1000 50 8 15 9 to 36 (depending on the enhancement license type used) 9 to 36 (depending on the enhancement license type used) 17 to 42 (depending on the enhancement license type used) 12 to 242 (depending on the enhancement license type used) 8 V2110

(Medium) D 250 8 525 V2110 (Large) 37 to 517 (depending on the enhancement license type used) If the controller detects multiple license violations, such as capacity enhancement, a grace period counter starts from the moment the rst violation occurred. The controller generates event logs for every violation. To leave the grace period, clear all outstanding license violations. The controller can be in an unlicensed state for an innite period. However, if you install a temporary activation key, the unlicensed state is terminated. After the validity of a temporary activation key and the related grace period expire, the controller generates event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. raft If the controller is paired with an availability partner, you can redistribute licenses when a Capacity Enhancement Key (AP or Radar) is installed. Both controllers must be running at least v9.01 and both members must have a permanent license key. Separate pools will be introduced for each type of license, and licenses installed on either member of an availability pair are shared across the pair automatically. License pooling is supported in fast failover and legacy availability setups. The limit of distribution is set by the license key; therefore if a controller has two keys of 25 APs each, then you will be allowed to transfer 25 or 50 APs to the former peer controller (for more information, see Availability on page 537). License Pooling License pooling is not supported for Cloud Provider and Subscription license types since the values are already set at the platform system limits. Installing the License Keys This section describes how to install the license key on the controller. It does not explain how to generate the license key. For information on how to generate the license key, see the ExtremeWireless License Certicate, which is sent to you via traditional mail. For more information on licensing, see Licensing Considerations on page 108. ExtremeWireless V10.41.06 User Guide 49 Conguring the ExtremeWireless Appliance You have to type the license keys on the Wireless Assistant GUI. To install the license keys:

From the top menu, click Controller. 1 2 In the left pane, click Administration > Software Maintenance. 3 Click the EWC Product Keys tab. The bottom pane displays the license summary. t Figure 8: Product Keys Tab 4 If you are installing a temporary or permanent activation license key, type the key in the Activation Key eld, and then click the Apply Activation Key button. 5 If you are installing a capacity enhancement, type the key in the Option Key eld, and then click the Apply Option Key button. ExtremeWireless V10.41.06 User Guide 550 Conguring the ExtremeWireless Appliance 6 To view installed keys, click View Installed Keys. The IInstalled Licensed Keys dialog displays. Figure 9: Installed License Keys raft Physical ports are represented by the L2 (Ethernet) Ports. The L2 port can be accessed from L2 Ports tabs under ExtremeWireless Controller Conguration. The L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52. A new controller is shipped from the factory with all its data ports set up. Support of management traffic is disabled on all data ports. By default, data interface states are enabled. A disabled interface does not allow data to ow (receive/transmit). Setting Up the Data Ports Link Aggregation ports are represented by the L2 (peer-to-peer) LAG (Link Aggregation Group) Ports. The L2 port and Topology information can be accessed from L2 Ports and Topology tabs under ExtremeWireless Controller Conguration. The LAG L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52. Note You can redene a data port to function as a Third-Party AP Port. Refer to Viewing and Changing the Physical Topologies on page 54 for more information. ExtremeWireless V10.41.06 User Guide 51 Conguring the ExtremeWireless Appliance Viewing and Changing the L2 Ports Information To view and change the l2 port information:

From the top menu, click Controller. 1 2 In the left pane, click Network > L2 Ports. The LL2 Ports tab is displayed. D 3 The L2 Ports tab presents the Physical (that is, Ethernet) and LAG (peer to peer) data ports that exist on the controller. These ports cannot be deleted and new ones cannot be created. LAG ports are statically congured by adding/removing physical ports from the LAG. Physical port belong to at most one LAG at one time. L2 port attached to a LAG port does not have any properties and could not be attached to any topology. The L2 ports attached to LAG ports can be enabled or disabled. Optional, if changes occur to the port physical parameters (speed, half or full duplex), a warning will be displayed to indicate that the L2 port does not meet LAG conditions. raft Considerations for attaching/detaching regular L2 ports to LAG ports:

Regular L2 port should not have any bridged and physical topologies associated with the port. Regular L2 port should not be disabled. L2 ports can be detached from LAG ports regardless of any topologies attached to the LAG port. If the L2 port is the last remaining in LAG, a warning will be issued. If last port of the LAG has After detaching the L2 port, it could be attached to any bridged or physical topology or points been detached, the LAG should be in operational DOWN state. via a routing table to the port any Routed topology. Jumbo Frames support is a feature that allows the conguration of physical Maximum Transmission Unit (MTU) sizes larger than the standard 1500 bytes on the AP and controller. When Jumbo Frames is enabled, the maximum MTU is 1800 bytes. ExtremeWireless V10.41.06 User Guide 52 Conguring the ExtremeWireless Appliance 4 Assigning any bridged or physical topology without specifying an L2 port is not supported. However, you can move any bridged and physical topology to either a physical or LAG L2 port. Physical:

C5110 Three data ports, displayed as esa0, esa1, and esa2. C5210 Four data ports, displayed as esa0, esa1, esa2, and esa3. C5215 Four data ports, displayed as esa0, esa1, esa2, and esa3. C4110 Four data ports, displayed as Port1, Port2, Port3, and Port4. C25 Two data ports, displayed as esa0 and esa1. C35 Four data ports, displayed as esa0, esa1, esa2, and esa3. V2110 Two data ports, displayed as esa0 and esa1. D Link Aggregation:

C5110 One data port, displayed as lag1 C5210 Two data ports, displayed as lag1 and lag2. C5215 Two data ports, displayed as lag1 and lag2. C4110 Two data ports, displayed as lag1 and lag2. C35 Two data ports, displayed as lag1 and lag2. C25 One data port, displayed as lag1. is the only congurable parameter. 5 An Admin port is created by default. This represents a physical port, separate from the other data ports, being used for management connectivity. For more information, see Conguring the Admin Port on page 263. Parameters displayed for the L2 Ports are:

Operational status, represented graphically with a green checkmark (UP) or red X (DOWN). This raft Port name, as described above. MAC address, as per Ethernet standard. Untagged VLAN, displays the associated untagged VLAN ID. This ID is unique among topologies. Tagged VLAN, displays the associated tagged VLAN ID. Attached Physical L2 Ports (Link Aggregation L2 Ports only) select the physical L2 ports Note Refer to Viewing and Changing the Physical Topologies on page 54 for more information about L2 port topologies. associated with the link aggregation L2 Ports. 6 If desired, change the operational status by clicking the Enable check box. You can change the operational state for each port. By default, data interface states are enabled. If they are not enabled, you can enable them individually. A disabled interface does not allow data to ow (receive/transmit). 7 If support of MTU sizes above 1500 bytes is required, click Enable Jumbo Frames support. This will extend the MTU size to 1800 bytes on the data link layer. Enabling Jumbo Frames support requires that port speed to be 1Gbps or higher on the controller and the APs which support Jumbo Frames. Jumbo Frames are not supported on 10 or 100 Mbps speeds. ExtremeWireless V10.41.06 User Guide 53 Conguring the ExtremeWireless Appliance Viewing and Changing the Physical Topologies To view and change the L2 Port topologies:

From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. An associated topology entry is created by default for each L2 Port with the same name. The TTopologies tab is displayed. ft ExtremeWireless V10.41.06 User Guide 54 Conguring the ExtremeWireless Appliance 3 To make changes, select a specic topology. The EEdit Topology dialog appears. D For the data ports predened in the system, Name and Mode are not congurable. 4 Optionally, congure one of the physical topologies for Third Party AP connectivity by clicking the 3rd Party AP Topology check box. You must congure a topology to which you will be connecting third-party APs by checking this box. Only one topology can be congured for third-party APs. raft Third-party APs must be deployed within a segregated network for which the controller becomes the single point of access (i.e., routing gateway). When you dene a third-party AP topology, the interface segregates the third-party AP from the remaining network. When you congure a controller port to be a member of a VLAN, you must ensure that the VLAN conguration (VLAN ID, tagged or untagged attribute, and Port ID) is matched with the correct conguration on the network switch. 5 To congure an interface for VLAN assignment, congure the VLAN Settings in the Layer 2 box. 6 To replicate topology settings, click Synchronize in the Status eld. 7 If the desired IP conguration is different from the one displayed, change the Interface IP and Mask accordingly in the Layer 3 box. For this type of data interface, the Layer 3 check box is selected automatically. This allows for IP Interface and subnet conguration together with other networking services. ExtremeWireless V10.41.06 User Guide 55 Conguring the ExtremeWireless Appliance 8 The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. If you are using OSPF, be sure that the MTU of all the interfaces in the OSPF link match. Note If the routed connection to an AP traverses a link that imposes a lower MTU than the default 1500 bytes, the controller and AP participate in automatic MTU discovery and adjust their settings accordingly. At the controller, MTU adjustments are tracked on a per AP basis. If the ExtremeWireless software cannot discover the MTU size, it enforces the static MTU size. 9 To enable AP registration through this interface, select the AP Registration check box. 11 To enable the local DHCP Server on the controller, in the DHCPeld, select Local Server. Then, click on the Congure button to open the DDHCP conguration pop-up window. Wireless APs use this port for discovery and registration. Other controllers can use this port to enable inter-controller device mobility if this port is congured to use SLP or the controller is running as a manager and SLP is the discovery protocol used by the agents. D provides access to SNMP (v1/v2c, v3), SSH, and HTTPs management interfaces.DDNote 10 To enable management traffic, select the Management Traffic check box. Enabling management This option does not override the built-in protection lters on the port. The built-in protection lters for the port, which are restrictive in the types of packets that are allowed to reach the management plane, are extended with a set of denitions that allow for access to system management services through that interface (SSH, SNMP, HTTPS:5825). raft Note The local DHCP Server is useful as a general-purpose DHCP Server for small subnets. ExtremeWireless V10.41.06 User Guide 56 Conguring the ExtremeWireless Appliance a In the Domain Name eld, type the name of the domain that you want the APs to use for DNS Servers discovery. b In the Lease (seconds) default eld, type the time period for which the IP address will be allocated to the APs (or any other device requesting it). c In the Lease (seconds) max eld, type the maximum time period in seconds for which the IP address will be allocated to the APs. d In the DNS Servers eld, type the DNS Servers IP address if you have a DNS Server. e In the WINS eld, type the WINS Servers IP address if you have a WINS Server. NNote You can type multiple entries in the DNS Servers and WINS elds. Each entry must be separate by a comma. These two elds are not mandatory to enable the local DHCP feature. f D In the Gateway eld, type the IP address of the default gateway.DDDNote g Congure the address range from which the local DHCP Server will allocate IP addresses to the h Click the Exclusion(s) button to exclude IP addresses from allocation by the DHCP Server. The APs. In the Address Range: from eld, type the starting IP address of the IP address range. In the Address Range: to eld, type the ending IP address of the IP address range. Since the controller is not allowed to be the gateway for the segment, including APs, you cannot use the Interface IP address as the gateway address for physical and Bridged at Controller topology. For Routed topology, the controller IP address must be the gateway. raft The controller automatically adds the IP addresses of the Interfaces (Ports), and the default gateway to the exclusion list. You cannot remove these IP addresses from the exclusion list. DHCP Address Exclusion window opens. ExtremeWireless V10.41.06 User Guide 57 Conguring the ExtremeWireless Appliance D want to exclude from the DHCP allocation. Select Range. In the From eld, type the starting IP address of the IP address range that you In the To eld, type the ending IP address of the IP address range that you want to exclude from raft In the Comment eld, type any relevant comment. For example, you can type the reason for which a certain IP address is excluded from the DHCP allocation. Click Add. The excluded IP addresses are displayed in the IP Address(es) to exclude from DHCP To exclude a single address, select the Single Address radio button and type the IP address in the To delete a IP Address from the exclusion list, select it in the IP Address(es) to exclude from DHCP Range eld, and then click Delete. To save your changes, click OK. the DHCP allocation. adjacent eld. Address Range eld. NNote The Broadcast (Bcast) Address eld is view only. This eld is computed from the mask and the IP addresses. Setting Up Internal VLAN ID and Multicast Support You can congure the Internal VLAN ID, and enable multicast support. The internal VLAN used only internally and is not visible on the external traffic. The physical topology used for multicast is represented by a physical topology to/from which the multicast traffic is forwarded in conjunction with ExtremeWireless V10.41.06 User Guide 58 Conguring the ExtremeWireless Appliance the virtual routed topologies (and VNSs) congured on the controller. Please note that no multicast routing is available at this time. To congure the Internal VLAN ID and enable multicast support:

From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. ft 3 In the Internal VLAN ID eld, type the internal VLAN ID. 4 From the Multicast Support drop-down list, select the desired physical topology. 5 To save your changes, click Save. Setting Up Static Routes When setting up a controller routing protocol, you must dene a default route to your enterprise network, either with a static route or by using the OSPF protocol. A default route enables the controller to forward packets to destinations that do not match a more specic route denition. To Set a Static Route on the controller:

ExtremeWireless V10.41.06 User Guide 59 Conguring the ExtremeWireless Appliance 1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. 2 In the left pane, click Network > Routing Protocols. The SStatic Routes tab is displayed. raft To dene a default static route for any unknown address not in the routing table, type 0.0.0.0. In the Subnet Mask eld, type the appropriate subnet mask to separate the network portion from the host portion of the IP address (typically 255.255.255.0). To dene the default static route for any unknown address, type 0.0.0.0. subnet as the controller to which to forward these packets. This is the IP address of the next hop between the controller and the packets ultimate destination. In the Gateway eld, type the IP address of the adjacent router port or gateway on the same In the Destination Address eld, type the IP address of the destination controller. 3 To add a new route, click New, and in the EEdit route dialog, enter the following information:

Select the Override dynamic routes check box to give priority over the OSPF learned routes, including the default route, which the controller uses for routing. This option is enabled by default. To remove this priority for static routes, so that routing is controlled dynamically at all times, clear the Override dynamic routes check box. Note If you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the controller, the static routes normally have priority. ExtremeWireless V10.41.06 User Guide 60 Conguring the ExtremeWireless Appliance 4 To save your changes, click Save. Viewing the Forwarding Table You can view the dened routes, whether static or OSPF, and their current status in the forwarding table. To view the forwarding table on the controller:

1 From the Routing Protocols Static Routes tab, click View Forwarding Table. The Forwarding Table is displayed. 2 Alternatively, from the top menu, click Reports. The AAvailable AP Reports screen displays. 3 In the left pane, click Routing Protocols, then click Forwarding Table. The FForwarding Table is displayed. D raft This report displays all dened routes, whether static or OSPF, and their current status. 4 To update the display, click Refresh. Setting Up OSPF Routing Open Shortest Path First (OSPF) is a robust link-state routing protocol. OSPF forms adjacencies with neighbors and shares information via the Designated Router (DR) and Backup DR using link state advertisements. Areas in OSPF are used to limit LSAs and summarize routes. Everyone connects to area zero, the backbone. Related Links Enabling OSPF Routing on page 62 Setting OSPF Routing Settings on page 62 ExtremeWireless V10.41.06 User Guide 61 Conguring the ExtremeWireless Appliance Conrming OSPF Ports on page 65 Enabling OSPF Routing To enable OSPF (OSPF RFC2328) routing, you must:

1 Specify at least one topology on which OSPF is enabled on the Port Settings option of the OSPF tab. This is the interface on which you can establish OSPF adjacency. 2 Enable OSPF globally on the controller. 3 Dene the global OSPF parameters. 4 Ensure that the OSPF parameters dened here for the controller are consistent with the adjacent Related Links routers in the OSPF area. This consistency includes the following:

If the peer router has different timer settings, the protocol timer settings in the controller must The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the be changed to match to achieve OSPF adjacency. D controller is xed at 1500. This matches the default MTU in standard routers. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). It is important to ensure that the MTU of the ports on either end of an OSPF link match. If there is a mismatch in the MTU, then the OSPF adjacency between the controller and the neighboring router might not get established. raft From the top menu, click Controller. 1 2 In the left pane, click Network > Routing Protocols. The SStatic Routes tab is displayed by default. Setting Up OSPF Routing on page 61 Setting OSPF Routing Settings on page 62 Conrming OSPF Ports on page 65 To set OSPF routing global settings on the controller:

Setting OSPF Routing Settings ExtremeWireless V10.41.06 User Guide 62 Conguring the ExtremeWireless Appliance 3 Click the OOSPF tab. 4 From the OSPF Status drop-down list, click On to enable OSPF. raft Default The default acts as the backbone area (also known as area zero). It forms the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via a router connected to the backbone area. Stub The stub area does not receive external routes. External routes are dened as routes which were distributed in OSPF via another routing protocol. Therefore, stub areas typically rely on a default route to send traffic routes outside the present domain. In the Router ID eld, type the IP address of the controller. This ID must be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a router ID from one of the controllers interface IP addresses. 5 In the Area ID eld, type the area. 0.0.0.0 is the main area in OSPF. 6 In the Area Type drop-down list, click one of the following:

Not-so-stubby The not-so-stubby area is a type of stub area that can import autonomous system (AS) external routes and send them to the default/backbone area, but cannot receive AS external routes from the backbone or other areas. 7 To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 63 Conguring the ExtremeWireless Appliance 8 To add a new OSPF interface, click New or select a port to congure by clicking on the desired port in the Port Settings table. The EEdit Port dialog displays. 9 In the Link Cost eld, type the OSPF standard value for your network for this port. This is the cost of sending a data packet on the interface. The lower the cost, the more likely the interface is to be used D to forward data traffic.DNote 11 10 In the Authentication drop-down list, click the authentication type for OSPF on your network: None or Password. The default setting is None. If Password is selected as the authentication type, in the Password eld, type the password. If None is selected as the Authentication type, leave this eld empty. This password must match on either end of the OSPF connection. If more than one port is enabled for OSPF, it is important to prevent the controller from serving as a router for other network traffic (other than the traffic from wireless device users on routed topologies controlled by the controller). For more information, see Policy Rules on page 288. raft Retransmit-Interval Species the time in seconds (displays OSPF default). The default setting Dead-Interval Species the time in seconds (displays OSPF default). The default setting is 40 Hello-Interval Species the time in seconds (displays OSPF default).The default setting is 10 Transmit Delay Species the time in seconds (displays OSPF default). The default setting is 1 12 Type the following:

is 5 seconds. seconds. seconds. second. 13 To save your changes, click Save. Related Links Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62 Conrming OSPF Ports on page 65 ExtremeWireless V10.41.06 User Guide 64 Conguring the ExtremeWireless Appliance Conrming OSPF Ports To conrm that the ports are set up for OSPF, and that advertised routes from the upstream router are recognized:

1 Click View Forwarding Table. The FForwarding Table is displayed. The following additional reports display OSPF information when the protocol is in operation:

OSPF Neighbor Displays the current neighbors for OSPF (routers that have interfaces to a common network) OSPF Linkstate Displays the Link State Advertisements (LSAs) received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the routers interfaces and adjacencies. 2 To update the display, click Refresh. Related Links Conguring Filtering at the Interface Level Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62 D Setting OSPF Routing Settings on page 62 The ExtremeWireless solution has a number of built-in lters that protect the system from unauthorized traffic. These lters are specic only to the controller. These lters are applied at the network interface level and are automatically invoked. By default, these lters provide stringent-level rules to allow only access to the system's externally visible services. In addition to these built-in lters, the administrator can dene specic exception lters at the interface-level to customize network access. These lters depend on Topology Modes and the conguration of an L3 interface for the topology. raft On the controller, various interface-based exception lters are built in and invoked automatically. These lters protect the controller from unauthorized access to system management functions and services via the interfaces. Access to system management functions is granted if the administrator selects the allow management traffic option in a specic topology. For Bridged at Controller topologies, exception lters are dened only if L3 (IP) interfaces are specied. For Physical, Routed, and 3rd Party AP topologies, exception ltering is always congured since they all have an L3 interface presence. Built-in Interface-based Exception Filters Allow management traffic is possible on the topologies that have L3 IP interface denitions. For example, if management traffic is allowed on a physical topology (esa0), only users connected through ESA0 will be able to get access to the system. Users connecting on any other topology, such as Routed or Bridged Locally at Controller, will no longer be able to target ESA0 to gain management access to the system. To allow access for users connected on such a topology, the given topology conguration itself must have allow management traffic enabled and users will only be able to target the topology interface specically. On the controllers L3 interfaces (associated with either physical, Routed, or Bridged Locally at Controller topologies), the built-in exception lter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic is allowed, by default, on the management port. ExtremeWireless V10.41.06 User Guide 65 Conguring the ExtremeWireless Appliance If management traffic is explicitly enabled for any interface, access is implicitly extended to that interface through any of the other interfaces (VNS). Only traffic specically allowed by the interfaces exception lter is allowed to reach the controller itself. All other traffic is dropped. Exception lters are dynamically congured and regenerated whenever the system's interface topology changes (for example, a change of IP address for any interface). Enabling management traffic on an interface adds additional rules to the exception lter, which opens up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP applications. The interface-based built-in exception policy rules, in the case of traffic from wireless users, are applicable to traffic targeted directly for the topology L3 interface. For example, a lter specied by a Role may be generic enough to allow traffic access to the controller's management (for example, Allow All [*.*.*.*]). Exception policy rules are evaluated after the user's assigned lter role, as such, it is possible that the role allows the access to management functions that the exception lter denies. These packets are dropped. To enable SSH, HTTPS, or SNMP access through a physical data interface:

D 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. From the top menu, click Controller. 3 On the Topologies tab, click the appropriate data port topology. The EEdit Topology window displays. ExtremeWireless V10.41.06 User Guide 66 Conguring the ExtremeWireless Appliance 4 Select the Management Traffic check box if the topology has specied an L3 IP interface presence. 5 To save your changes, click Save. Working with Administrator-dened Interface-based Exception Filters You can add specic policy rules at the interface level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for specic reasons, such as a Denial of Service (DoS) attack. The policy rules are set up in the same manner as policy rules dened for a Role specify an IP address, select a protocol if applicable, and then either allow or deny traffic to that address. For more information, see Policy Rules on page 288. The rules dened for port exception lters are prepended to the normal set of restrictive exception lters and have precedence over the system's normal protection enforcement (that is, they are evaluated rst). D To dene interface exception lters:

From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies screen displays. 3 Select a topology to be congured. The EEdit Topology window is displayed. WWarning If dened improperly, user exception rules may seriously compromise the systems normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-ltering mechanism if absolutely necessary. raft ExtremeWireless V10.41.06 User Guide 67 Conguring the ExtremeWireless Appliance 4 If the topology has an L3 interface dened, an EException Filters tab is available. Select this tab. The Exception Filter rules are displayed. aft ExtremeWireless V10.41.06 User Guide 68 Conguring the ExtremeWireless Appliance 5 Add rules by either:

Click Add Predened , select a lter from the drop down list, and click Add. D Click Add, congure the following parameters, then click OK:

In the IP / subnet:port eld, type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address. raft 6 The new lter is displayed in the upper section of the screen. 7 Click the new lter entry. 8 To allow traffic, select the Allow check box. 9 To adjust the order of the policy rules, click Up or Down to position the rule. The policy rules are In the Protocol drop-down list, click the protocol you want to specify for the lter. This list may include UDP, TCP, GRE, IPsec-ESP, IPsec-AH, ICMP (Internet Control Message Protocol). The default is N/A. 10 To save your changes, click Save. executed in the order dened here. Protecting Controller Interfaces and the Internal Captive Portal Page By default, the controller is shipped with a self-signed certicate used to perform the following tasks:

Protect all interfaces that provide administrative access to the controller Protect the internal Captive Portal page This certicate is associated with topologies that have a congured L3 (IP) interface. If you continue to use the default certicate to secure the controller and internal Captive Portal page, your web browser will likely produce security warnings regarding the security risks of trusting self-

ExtremeWireless V10.41.06 User Guide 69 Conguring the ExtremeWireless Appliance signed certicates. To avoid the certicate-related web browser security warnings, you can install customized certicates on the controller. NNote To avoid the certicate-related web browser security warnings when accessing the controller, you must also import the customized certicates into your web browser application. Before Installing a Certicate Before you create and install a certicate:

1 Select a certicate format to install. The controller supports several types of certicates, as shown in Table 7. Table 7: Supported Certicate and CA Formats Certicate Format D Description PKCS#12 PEM/DER PEM-formatted CA public certicate le If you choose to install this optional certicate, you must do so when The PKCS#12 certicate (.pfx) le contains both a certicate and the corresponding private key. The controller will accept the PKCS#12 le as long as the format of the private key and certicate are valid. The PEM/DER certicate (.crt) le requires a separate PEM/DER private key (.key) le. The controller uses OpenSSL PKCS12 command to convert the .crt and .key les into a single .pfx PKCS#12 certicate le. The controller will accept the PEM/DER le as long as the format of the private key and certicate are valid. raft Note When generating the PKCS#12 certicate le or PEM/DER certicate and key les, you must ensure that the interface identied in the certicate corresponds to the controllers interface for which the certicate is being installed. The controller generates an entry in the events information log as the certicate expiry date approaches, based on the following schedule: 15, 8, 4, 2, and 1 day prior to expiration. The log messages cease when the certicate expires. For more information, refer to the Extreme Networks ExtremeWireless Maintenance Guide. specifying the PCKCS#12 or PEM/DER certicates. 2 Understand how the controller monitors the expiration date of installed certicates. 3 Understand how the controller manages certicates during upgrades and migrations. Installed certicates will be backed up and restored with the controller conguration data. Installed certicates will also be migrated during an upgrade and during a migration. Installing a Certicate for a Controller Interface To install a certicate for a Controller Data Interface:

From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. ExtremeWireless V10.41.06 User Guide 70 Conguring the ExtremeWireless Appliance 3 Click the CCerticates tab. Topologies with an L3 interface will be listed. 4 In the Interface Certicates table, click to select the topology for which you want to install a certicate. The CConguration for Topologies section displays. Note There are separate certicates if IPv4 and IPv6 is congured for Admin topology. The Conguration for Topologies section and the Generate Signing Request button become available. Use the eld and button descriptions in Table 8 to create and install certicates. Note The certicate Common Name (CN) must match the interface IP or DNS addresses (Admin only). D Table 8: Topologies Page: Certicates Tab Fields and Buttons Field/Button Description Interface Certicates Topology Expiry Date Topology name Date when the certicate expires ExtremeWireless V10.41.06 User Guide 71 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description CA Cert. Name (CN) Identies whether or not a CA certicate has been installed on the topology. The IP address of DNS address associated with the topology that the certicate applies to. Note: The Name eld supports both IPv4 or IPv6 addresses. Org Unit (OU) Organization Conguration for Topology Name of the organizations unit. Name of the organization Replace/Install selected Topologys certicate D 1 To replace/install the existing ports certicate and key using this option, do the following:

From the click the Generate Signing Request button to create the certicate and key. certicate and a Certicate Authority (CA) le. select Replace/Install selected Topologies certicate. 7 Click Browse next to the Signed certicate to install eld. 8 Navigate to the certicate le you want to install for this port, 2 Download the CSR when prompted. 3 Use a 3rd party certicate service to sign the CSR and create a 4 Save the certicate on your computer. 5 Return to the Certicates tab on the ExtremeWireless UI. 6 Select the topology for which you created the certicate and raft this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. and then click Open. The certicate le name is displayed in the Certicate le to install eld. encoded CA public certicates le eld. The Choose le dialog is displayed. 10 (Optional) Navigate to the certicate le you want to install for 9 (Optional) Click Browse next to the Optional:Enter PEM-

ExtremeWireless V10.41.06 User Guide 72 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description Replace/Install selected Topologys certicate and key from a single le To replace the existing ports certicate and key using this option, do the following:

1 Click Browse next to the PKCS #12 le to install eld. The Choose le dialog is displayed. 2 Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the PKCS #12 le to install eld. In the Private key password box, type the password for the key le. The key le is password protected. 3 4 (Optional) Click Browse next to the Optional:Enter PEM-

D 5 encoded CA public certicates le eld. The CChoose le dialog is displayed.

(Optional) Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. 1 2 Navigate to the certicate le you want to install for this port, Click Browse next to the PKCS #12 le to install eld. The Choose le dialog is displayed. and then click Open. The certicate le name is displayed in the PKCS #12 le to install eld. To replace the existing ports certicate and key using this option, do the following:

Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. raft 4 Navigate to the key le you want to install for this port, and then click Open. The key le name is displayed in the Private key le to install eld. In the Private key password box, type the password for the key le. The key le is password protected. encoded CA public certicates le eld. The CChoose le dialog is displayed.

(Optional) Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. 3 Click Browse next to the Private key le to install eld. The 6 (Optional) Click Browse next to the Optional:Enter PEM-

Choose le dialog is displayed. 5 7 Replace/Install selected Topologys certicate and key from separate les Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. Reset selected Topology to the factory default certicate and key Remove custom certicate that user installed. No change No change. ExtremeWireless V10.41.06 User Guide 73 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description Generate Signing Request To generate a CSR for the controller, click Generate Signing Request. The GGenerate Certicate Signing Request window displays (Figure 10). Save Click to save the changes to this Topology. Note To avoid the certicate-related web browser security warnings when accessing the Wireless Assistant, you must also import the customized certicates into your web browser application. D raft The two-letter ISO abbreviation of the name of the country The name of the State/Province The name of the city. Figure 10: Generate Certicate Signing Request Window Table 9: Generate Certicate Signing Request Page - Fields and Buttons Field/Button Description Country name State or Province name Locality name (city) Organization name The name of the organization Organizational Unit name The name of the unit within the organization. Common Name Set the common name to be one of the following:

the IP address of the interface that the CSR applies to. a DNS address associated with the IP address of the interface that the CSR applies to. ExtremeWireless V10.41.06 User Guide 74 Conguring the ExtremeWireless Appliance Table 9: Generate Certicate Signing Request Page - Fields and Buttons

(continued) FField/Button Description Email address The email address of the organization Generate Signing Request Click to generate a signing request. A certicate request le is generated (.csr le extension). The name of the le is the IP address of the topology you created the CSR for. The FFile Download dialog is displayed. Conguring the Login Authentication Mode Conguring the Local Login Authentication Mode and Adding New Users on page 75. You can congure the following login authentication modes to authenticate administrator login attempts:

Local authentication The controller uses locally congured login credentials and passwords. See D RADIUS server. See Conguring the RADIUS Login Authentication Mode on page 78. RADIUS authentication The controller uses login credentials and passwords congured on a Local authentication rst, then RADIUS authentication The controller rst uses locally congured login credentials and passwords. If this login fails, the controller attempts to validate login credentials and passwords congured on a RADIUS server. See Conguring the Local, RADIUS Login Authentication Mode on page 82. RADIUS authentication rst, then local authentication The controller rst uses login credentials and passwords congured on a RADIUS server. If this login fails, the controller attempts to validate login credentials and passwords congured locally. See Conguring the RADIUS, Local Login Authentication Mode on page 84. raft Note The ExtremeWireless Appliance enables you to recover the controller via the Rescue mode if you have lost its login password. For more information, see the ExtremeWireless Maintenance Guide. Local login authentication mode is enabled by default. If the login authentication was previously set to another authentication mode, you can change it to the local authentication. You can also add new users and assign them to a login group as full administrators, read-only administrators, or as a GuestPortal managers. For more information, see Dening Wireless Assistant Administrators and Login Groups on page 673. Conguring the Local Login Authentication Mode and Adding New Users To congure the local login authentication mode:

1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 75 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. aft 3 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. ExtremeWireless V10.41.06 User Guide 76 Conguring the ExtremeWireless Appliance 4 Select the Local check box. If the RADIUS check box is selected, deselect it. 5 Click OK. 6 In the Add User section, select one of the following from the Group drop-down list:

Full Administrator Grants the administrators access rights to the administrator. Read-only Administrator Grants read-only access right to the administrator. GuestPortal Manager Grants the user GuestPortal manager rights. 7 In the User ID box, type the users ID. 8 In the Password box, type the users password. NNote UNICODE characters are not supported in passwords for local and remote RADIUS/

TACACS+ authentication. All passwords must be 8 to 24 characters long. D 9 In the Conrm Password box, re-type the password. 10 To add the user, click Add User. The new user is added. 11 Click Save. The AAdministrator Password Conrmation window is displayed. raft Yes, but I want to change administrators password rst Change authentication mode to local and change the administrator password currently dened on the controller. No Do not change the authentication mode to local. Yes Change authentication mode to local. Use the administrator password currently dened on the controller. 12 Select the appropriate option. 13 Click Submit. 14 If you chose Yes, but I want to change administrators password rst, you are prompted to change the administrators password. ExtremeWireless V10.41.06 User Guide 77 Conguring the ExtremeWireless Appliance Conguring the RADIUS Login Authentication Mode The local login authentication mode is enabled by default. You can change the local login authentication mode to RADIUS-based authentication. NNote Before you change the default local login authentication to RADIUS-based authentication, you must congure the RADIUS Server on the GGlobal Settings screen. For more information, see VNS Global Settings on page 392. RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses User Datagram Protocol (UDP) for sending the packets between the RADIUS client and server. D You can congure a RADIUS key on the client and server. If you congure a key on the client, it must be the same as the one congured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not congure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network. Note Before you congure the system to use RADIUS-based login authentication, you must congure the Service-Type RADIUS attribute on the RADIUS server. EWC uses the standard RADIUS attribute Service-Type to put the user into the appropriate groups:

Administrator Service-Type = 6 Read-Only Service-Type = 7 GuestPortal Manager Service-Type = 8 raft From the top menu, click Controller. 1 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. To congure the RADIUS login authentication mode:

ExtremeWireless V10.41.06 User Guide 78 Conguring the ExtremeWireless Appliance 3 Click the RADIUS Authentication tab. aft 4 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. ExtremeWireless V10.41.06 User Guide 79 Conguring the ExtremeWireless Appliance 5 Deselect Local and select the RADIUS check box. D NNote The RADIUS Servers displayed in the list located against the Use button are dened on Global Settings screen. For more information, see VNS Global Settings on page 392. 6 Click OK. 7 From the drop-down list, located next to the Use button, select the RADIUS Server that you want to use for the RADIUS login authentication, and then click Use. The RADIUS Servers name is displayed in the Congured Servers box, and in the Auth section, and the following default values of the RADIUS Server are displayed. raft The following values can be edited:

NAS IP address The IP address of Network Access Server (NAS). NAS Identier The Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers, and then acting on the response returned. Auth Type The authentication protocol type (PAP, CHAP, MS-CHAP, or MS-CHAP2). Set as Primary Server Species the primary RADIUS server when there are multiple RADIUS Note You can add up to three RADIUS servers to the list of login authentication servers. When you add two or more RADIUS servers to the list, you must designate one of them as the Primary server. The controller rst attempts to connect to the Primary server. If the Primary Server is not available, it tries to connect to the second and third server according to their order in the Congured Servers box. You can change the order of RADIUS servers in the Congured Servers box by clicking on the Up and Down buttons. 8 To add additional RADIUS servers, repeat step 7. servers. ExtremeWireless V10.41.06 User Guide 80 Conguring the ExtremeWireless Appliance 9 Click Test to test connectivity to the RADIUS server. NNote You can also test the connectivity to the RADIUS server after you save the conguration. If you do not test the RADIUS server connectivity, and you have made an error in conguring the RADIUS-based login authentication mode, you will be locked out of the controller when you switch the login mode to the RADIUS login authentication mode. If you are locked out, access Rescue mode via the console port to reset the authentication method to local. The following window is displayed. D 10 In the User ID and the Password elds, type the users ID and the password, which were congured on the RADIUS Server, and then click Test. The RADIUS connectivity result is displayed. raft Note To learn how to congure the User ID and the Password on the RADIUS server, refer to your RADIUS servers user guide. If the test is not successful, the following message will be displayed:

ExtremeWireless V10.41.06 User Guide 81 Conguring the ExtremeWireless Appliance 11 D If the RADIUS connectivity test displays Successful result, click Save on the RRADIUS Authentication screen to save your conguration. The following window is displayed:

raft 12 If you tested the RADIUS server connectivity earlier in this procedure, click No. If you click Yes, you will be asked to enter the RADIUS server user ID and password. 13 To change the authentication mode to RADIUS authentication, click OK. You will be logged out of the controller immediately. You must use the RADIUS login user name and password to log on the controller. To cancel the authentication mode changes, click Cancel. Conguring the Local, RADIUS Login Authentication Mode To congure the Local, RADIUS login authentication mode:

1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 82 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. aft 3 In the Authentication mode section, click Congure. 4 Select the Local and RADIUS check box. ExtremeWireless V10.41.06 User Guide 83 Conguring the ExtremeWireless Appliance 5 If necessary, select Local and use the Move Up button to move Local to the top of the list. 6 Click OK. 7 On the LLogin Management screen, click Save. For information on setting local login authentication settings, see Conguring the Local Login Authentication Mode and Adding New Users on page 75. For information on setting RADIUS login authentication settings, see Conguring the RADIUS Login Authentication Mode on page 78. Conguring the RADIUS, Local Login Authentication Mode To congure the RADIUS, Local login authentication mode:

From the top menu, click Controller. 1 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. D 3 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. 4 Select the Local and RADIUS check box. ExtremeWireless V10.41.06 User Guide 84 Conguring the ExtremeWireless Appliance 5 If necessary, select the RADIUS eld and use the Move Up button to move RADIUS to the top of the list. D 6 Click OK. 7 On the LLogin Management screen, click Save. For information on setting local login authentication settings, see Conguring the Local Login Authentication Mode and Adding New Users on page 75. For information on setting RADIUS login authentication settings, see Conguring the RADIUS Login Authentication Mode on page 78. raft The controller supports the SNMP for retrieving statistics and conguration information. If you enable SNMP on the controller, you can choose either SNMPv3 or SNMPv1/v2 mode. If you congure the controller to use SNMPv3, then any request other than SNMPv3 request is rejected. The same is true if you congure the controller to use SNMPv1/v2. 1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. To congure SNMP:

Conguring SNMP ExtremeWireless V10.41.06 User Guide 85 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > SNMP. The SSNMP screen displays. raft Mode Select SNMPv1/v2c or SNMPv3 to enable SNMP. Contact Name The name of the SNMP administrator. Location The physical location of the controller running the SNMP agent. SNMP Port The destination port for the SNMP traps. Possible ports are 065555. Forward Traps The lowest severity level of SNMP trap that you want to forward. Publish AP as interface of controller Enable or disable SNMP publishing of the access point as an interface to the controller. 4 Select the tab for the SNMP version you are conguring. For more information, see:

3 In the SNMP Common Settings section, congure the following:

Conguring SNMPv1/v2c-specic Parameters on page 87 Conguring SNMPv3-specic Parameters on page 87 ExtremeWireless V10.41.06 User Guide 86 Conguring the ExtremeWireless Appliance Conguring SNMPv1/v2c-specic Parameters 1 Congure the following parameters on the SSNMPv1/v2c tab:

Read Community Name The password that is used for read-only SNMP communication. Read/Write Community Name The password that is used for write SNMP communication. Manager A The IP address of the server used as the primary network manager that will receive SNMP messages. Manager B The IP address of the server used as the secondary network manager that will receive SNMP messages. Note Manager A and Manager B address elds support both IPv4 or IPv6 addresses. must be from 5 to 32 characters long. 2 Click Save. Conguring SNMPv3-specic Parameters D 1 Congure the parameters following on the SSNMPv3 tab:

Context String A description of the SNMP context. Engine ID The SNMPv3 engine ID for the controller running the SNMP agent. The engine ID RFC3411 Compliant The engine ID will be formatted as dened by SnmpEngineID textual convention (that is, the engine ID will be prepended with SNMP agents' private enterprise number assigned by IANA as a formatted HEX text string). raft Auth Protocol If you have selected a security level of authPriv or authNoPriv, select the authentication protocol. Choices are: MD5 (Message-Digest algorithm 5), SHA, None. Auth Password If you have selected a security level of authPriv or authNoPriv, enter an User Enter the name of the user account. Security Level Select the security level for this user account. Choices are: authPriv, authNoPriv, Privacy Password If you have selected the security level of authPriv, enter a privacy password. Engine ID If desired, enter an engine ID. The ID can be between 5 and 32 bytes long, with no 2 Click Add User Account. The AAdd SNMPv3 User Account window displays. 3 Congure the following parameters:

Privacy Protocol If you have selected the security level of authPriv, select the privacy protocol. authentication password. Choices are: DES, None noAuthnoPriv. spaces, control characters, or tabs. Destination IP If desired, enter the IP address of a trap destination. Note The Destination IP address eld supports both IPv4 or IPv6 addresses. 4 Click OK. The AAdd SNMPv3 User Account window closes. 5 Repeat steps 2 through 4 to add additional users. ExtremeWireless V10.41.06 User Guide 87 Conguring the ExtremeWireless Appliance 6 In the Trap 1 and Trap 2 sections, congure the following parameters:

Destination IP The IP address of the machine monitoring SNMPv3 traps NNote The Destination IP address eld supports both IPv4 or IPv6 addresses. User Name The SNMPv3 user to congure for use with SNMPv3 traps 7 Click Save. Editing an SNMPv3 User To edit an SNMPv3 user:

Deleting an SNMPv3 User To delete an SNMPv3 user:

From the top menu, click Controller. From the top menu, click Controller. D 1 2 In the left pane, click SNMP. The SSNMP screen displays. 3 Click the SNMPv3 tab. 4 Select an SNMP user. 5 Click Edit Selected User. The EEdit SNMPv3 User Account window displays. 6 Edit the user conguration as desired. 7 Click OK. The EEdit SNMPv3 User Account window closes. 8 Click Save. raft 1 2 In the left pane, click SNMP. The SNMP screen displays. 3 Click the SNMPv3 tab. 4 Select an SNMP user. 5 Click Delete Selected User. You are prompted to conrm that you want to delete the selected user. 6 Click OK. The SNMP agent generates traps to notify the administrator of events such as conguration changes, component failures, and disconnection of Access Points. Administrators can congure the Agent and the Controller, dening the level of trap to receive. The following trap types are supported by ExtremeWireless Controllers:

Interfaces MIB (IF-MIB) linkDown (.1.3.6.1.6.3.1.1.5.3) Interfaces MIB (IF-MIB) linkUp (.1.3.6.1.6.3.1.1.5.4) HIPATH-WIRELESS-HWC-MIB apTunnelAlarm (.1.3.6.1.4.1.4329.15.3.19.4) SNMP Trap Types Sent by the controller when it detects that it has lost the connection to an AP. The trap identies the AP that the controller can no longer contact. HIPATH-WIRELESS-HWC-MIB hiPathWirelessLogAlarm (.1.3.6.1.4.1.4329.15.3.9.6) ExtremeWireless V10.41.06 User Guide 88 Conguring the ExtremeWireless Appliance A generic trap that contains specic information relevant to the event. The information is carried in the trap, and the information varies from event to event. The trap contains the trap severity, the component on the controller that raised the event, and the text string associated with the event, as it appears in the controller GUI. A trap containing one event that also is displayed in the controllers Event / Log report page. The trap is sent when the event is raised and recorded on the controller. This trap accounts for the vast majority of traps messages sent by the controller at most sites. Conguring Network Time Network time is synchronized in one of two ways:

Using the systems time The systems time is the controllers time. Using Network Time Protocol (NTP) The Network Time Protocol is a protocol for synchronizing You should synchronize the clocks of the controller and the APs to ensure that the logs and reports reect accurate time stamps. For more information, see Working with Reports and Statistics on page 621. D The normal operation of the controller will not be affected if you do not synchronize the clock. The clock synchronization is necessary to ensure that the logs display accurate time stamps. In addition, clock synchronization of network elements is a prerequisite for the following conguration:

Mobility Manager Session Availability NNetwork Time Synchronization raft The controller automatically adjusts for any time change due to Daylight Savings time. the clocks of computer systems over packet-switched data networks. From the top menu, click Controller. 1 Conguring the Network Time Using the Systems Time ExtremeWireless V10.41.06 User Guide 89 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Network Time. The NNetwork Time screen displays. D for the time zone. country. 4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected 3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping raft 5 Click Apply Time Zone. 6 In the System Time eld, type the system time. 7 Click Set Clock. The WLAN network time is synchronized in accordance with the controllers time. Conguring the Network Time Using an NTP Server 1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 90 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Network Time. The NNetwork Time screen displays. aft 3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping 4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected for the time zone. country. 5 Click Apply Time Zone. 6 In the System Time box, type the system time. 7 Select the Use NTP check box. Note If you want to use the controller as the NTP Server, select the Run local NTP Server check box, and click Apply. 8 In the Time Server 1 text box, type the IP address or FQDN (Full Qualied Domain Name) of an NTP time server that is accessible on the enterprise network. Note The Time Server elds supports both IPv4 and IPv6 addresses. 9 Repeat for Time Server2 and Time Server3 text boxes. If the system is not able to connect to the Time Server 1, it will attempt to connect to the additional servers that have been specied in Time Server 2 and Time Server 3 text boxes. ExtremeWireless V10.41.06 User Guide 91 Conguring the ExtremeWireless Appliance 10 Click Apply. The WLAN network time is synchronized in accordance with the specied time server. Conguring Secure Connections The controllers communicate amongst themselves using a secure protocol. Among other things, this protocol is used to share between controllers the data required for high availability. They also use this protocol to communicate with NMS Wireless Manager. The protocol requires the use of a shared secret for mutual authentication of the end points. By default the controllers and NMS Wireless Manager use a well known factory default shared secret. This makes it easy to get up and running but is not as secure as some sites require. The controllers and NMS Wireless Manager allow the administrator to change the shared secret used by the secure protocol. In fact the controllers and Wireless Manager can use a different shared secret for each individual end point to which they connect with the protocol. D To congure the shared secret for a connection on the controller:

From the top menu, click Controller. 1 raft ExtremeWireless V10.41.06 User Guide 92 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Secure Connections. The SSecure Connections screen displays. ft 3 Select Enable Weak Ciphers to enable weak ciphers for the remote connections. Disabling weak ciphers prevents users from accessing various web pages on the controller using less secure methods. 4 Enter the Server IP address of the other end of the secure protocol tunnel and the shared secret to use. 5 Click Add/Update. 6 Click Save. Note Congure the same shared secret onto the devices at each end of the connection. Otherwise, the two controllers or controller and NMS Wireless Manager will not be able to communicate. ExtremeWireless V10.41.06 User Guide 93 Conguring the ExtremeWireless Appliance Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers Because the GGlobal Settings screen allows you to set up NTP and RADIUS servers by dening their host names, you have to congure your DNS servers to resolve the host names of NTP and RADIUS servers to the corresponding IP addresses. Go to VNS > Global Settings. Note For more information on RADIUS server conguration, see Dening RADIUS Servers and MAC Address Format on page 394. You can congure up to three DNS servers to resolve NTP and RADIUS server host names to their corresponding IP addresses. The controller sends the host name query to the rst DNS server in the stack of three congured DNS servers. The DNS server resolves the queried domain name to an IP address and sends the result back to the controller. D If for some reason, the rst DNS server in the stack of congured DNS servers is not reachable, the controller sends the host name query to the second DNS server in the stack. If the second DNS server is also not reachable, the query is sent to the third DNS server in the stack. To congure DNS servers for resolving host names of NTP and RADIUS servers:

1 From the top menu, click Controller. raft ExtremeWireless V10.41.06 User Guide 94 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Host Attributes. The HHost Attributes screen displays. 3 In the DNS box, type the DNS servers IP address in the Server Address eld and then click Add Server. The new server is displayed in the DNS servers list. aft Note You can congure up to three DNS servers. The Server Address eld supports both IPv4 and IPv6 addresses. 4 Int the Default Gateway IP box, enter the IP address of the Default Gateway. 5 To save your changes, click Save. Using a Third-party Location-based Solution ExtremeWireless supports the following location-based solutions:

AeroScout Ekahau Centrak On the controller, congure the AeroScout/Ekahau/Centrak server IP address and enable the location-

based service. When using AeroScout or Ekahau, the location-based server is aware of the controller IP address. And if using AeroScout, the controller noties the AeroScout server of the operational APs. ExtremeWireless V10.41.06 User Guide 95 Conguring the ExtremeWireless Appliance Enable the location-based service on the APs that you want to participate. NNote Participating APs must use the 2.4 GHz band and the radio that receives location-based service tags must have at least one WLAN service associated with it. Once you have enabled the location-based service on the controller and the participating APs, at least one of the participating APs will receive reports from a location-based service Wi-Fi RFID tag in the 2.4 GHz band. The tag reports are collected by the AP and forwarded to the location-based server by encapsulating the tag reports in a WASSP tunnel and routing them as IP packets through the controller. When using Ekahau or Centrak, the controller does not converse directly with the location-based service server. Note Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the wireless controller, tag reports are marked with UP=CS5 to the core (if 802.1p exists). D An APs tag report collection status is reported in the AP Inventory report. For more information, see Viewing Routing Protocol Reports on page 657. When location-based service support is disabled on the controller, the controller does not communicate with the location-based server and the APs do not perform any location-based functionality. If availability is enabled, tag report transmission pauses on failed over APs until they are congured and notied by the location-based server. With an availability pair, it is good practice to congure both controllers with the same location-based service. Ensure that your location-based service tags are congured to transmit on all non-overlapping channels

(1, 6 and 11) and also on channels above 11 for countries where channels above 11 are allowed. For information about proper deployment of the location-based solution, refer to the third-party documentation (AeroScout/Ekahau/Centrak). raft Conguring Location-Based Services on page 96 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 Conguring Location-Based Services Related Links To congure a controller for use with an AeroScout/Ekahau/Centrak solution:

1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 96 Conguring the ExtremeWireless Appliance 2 In the left pane, click Services > Location-based Service. D 3 Select the desired location-based service for the controller. Enter the IP address of the location based service server. Centrak and Ekahau conguration offer a default port number and multicast address, but you can modify the default values if necessary. 4 Click Save. Now assign APs to participate in the location-based service. raft ExtremeWireless V10.41.06 User Guide 997 Conguring the ExtremeWireless Appliance 5 From the top menu, click AP. In the left pane, click APs. NNote You can enable location-based service on APs using the Location-based service eld on the AAP Multi-edit screen and the AAdvanced window of the AAP Default Settings screen. The following procedure shows you how to enable location-based services on one AP at a time. t 6 Click on an AP row. The AAP Status dashboard displays. 7 Click Congure to display the CConguration dialog. ExtremeWireless V10.41.06 User Guide 98 Conguring the ExtremeWireless Appliance 8 Click Advanced. The AAdvanced dialog displays. aft 9 Select Enable location-based service and close the dialog. 10 Enable Location-based services on each additional AP that you want to participate. 11 Click Save. Related Links Using a Third-party Location-based Solution on page 95 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 Additional Ongoing Operations of the System Ongoing operations of the Extreme Networks ExtremeWireless system can include the following:

Controller System Maintenance Client Disassociate Logs and Traces Reports and Displays ExtremeWireless V10.41.06 User Guide 99 Conguring the ExtremeWireless Appliance For more information, see Performing System Administration on page 669 or the Extreme Networks ExtremeWireless Maintenance Guide. D raft ExtremeWireless V10.41.06 User Guide 1100 4 Conguring the ExtremeWireless APs D WWireless AP Overview Discovery and Registration Viewing a List of All APs Wireless AP Default Conguration Conguring Wireless AP Properties Outdoor Access Point Installation Assigning Wireless AP Radios to a VNS Conguring Wireless AP Radio Properties Conguring IoT Applications Setting Up the Wireless AP Using Static Conguration Setting Up 802.1x Authentication for a Wireless AP Conguring Co-Located APs in Load Balance Groups Conguring an AP Cluster Conguring an AP as a Guardian Conguring a Captive Portal on an AP AP3916ic Integrated Camera Deployment Performing AP Software Maintenance Understanding the ExtremeWireless LED Status raft Extreme Networks ExtremeWireless APs use the 802.11 wireless standards (802.11a/b/g/n/ac) for network communications, and bridge network traffic to an Ethernet LAN. In addition to the Wireless APs that run proprietary software and communicate with a controller only, Extreme Networks offers a Cloud-enabled APs. The 3805i and the AP39xx series are radar capable, Cloud-enabled APs that interoperate fully with ExtremeCloud and other ExtremeWireless products. Wireless AP Overview A wireless AP physically connects to a LAN infrastructure and establishes an IP connection to a controller, which manages the AP conguration through the Wireless Assistant. The controller also provides centralized management (verication and upgrade) of the AP rmware image. A UDP-based protocol enables communication between an AP and a controller. The UDP-based protocol encapsulates IP traffic from the AP and directs it to the controller. The controller decapsulates the packets and routes them to the appropriate destinations, while managing sessions and applying roles. ExtremeWireless V10.41.06 User Guide 101 Conguring the ExtremeWireless APs AP Model Firmware Support Refer to the ExtremeWireless Hardware Firmware Support Matrix to easily determine the currently supported rmware version and the minimum rmware version for each ExtremeWireless access point. Wireless Protocol Standards (802.11) Most current wireless networks and end-user devices use the IEEE 802.11n wireless protocol standard. The 802.11n APs are backward-compatible with existing 802.11a/b/g networks and devices. The AP38xx and AP39xx series APs support the 802.11ac wireless protocol. The AP3705i delivers data rates up to 300 Mbps per radio; the AP37xx series APs except for the AP3705i deliver data rates up to 450 Mbps per radio. The AP38xx series APs deliver data rates up to 1.3 Gbps on Radio 1 (the 5 GHz radio) and 450 Mbps Antennas The AP39xx series supports an internal antenna array and active/active E/N data ports that deliver on Radio 2 (the 2.4 GHz radio) data rates up to 1.7 Gbps on Radio 1 and 600 Mbps on Radio 2. D To congure an 802.11n/ac AP to achieve this high link rate, see Achieving High Throughput with 11n and 11ac Wireless APs on page 187. Some wireless AP models have built-in, internal antennas; some support external antennas. APs with internal antennas are certied as a complete unit. External antennas are individually certied for maximum transmitting power and determination of available channels in each country in which the AP is deployed. raft For a list of the external antennas that can be used with each AP model and how to install them, refer to the Installation Guide for each AP and to the ExtremeWireless External Antenna Site Preparation and Installation Guide. Wireless APs with external antenna ports must be congured to associate the external antenna connected to each antenna port. For more information, see Conguring Wireless AP Properties on page 156. The latest AP3915i/e and AP3917i/e models offer both Wi-Fi antennas and IoT antennas that are used to receive iBeacon signals from IoT devices. AP Types (Features) AP model types are differentiated by their feature design, particularly:

Indoor/Outdoor APs are built for either indoor or outdoor service. Indoor APs are built for use in enclosed, protected areas (like inside buildings) where they are not exposed to harsh weather or temperature extremes. Indoor APs have optional mounting brackets for mounting the AP on walls or drop ceilings. Outdoor APs are built weather-hardened, with watertight ttings for cables and antennas, splash guards, and a greater resistance to temperature extremes (both cold and heat). Outdoor APs can ExtremeWireless V10.41.06 User Guide 1102 Conguring the ExtremeWireless APs extend your Wireless LAN to outdoor locations without Ethernet cabling. Mounting brackets are available to enable quick and easy mounting of the Outdoor APs to walls, rails, and poles. Controller-based Controller-based APs are intended to be controlled centrally by an ExtremeWireless Appliance. All AP and service conguration, bridging, and networking is done on the controller, with the AP acting as the remote access point relaying communications between the network (the controller) and end-user devices. Cloud-enabled Cloud-enabled APs are intended to be controlled by ExtremeCloud an easy to use and scalable cloud-based management platform that supports and transforms with your business. Combined with enterprise-grade wired and wireless cloud-managed devices, ExtremeCloud delivers a scalable and highly available pay-as-you go subscription solution. IoT ready, smoke detector models ExtremeWireless offers APs that are equipped with IoT antennas for receiving iBeacon signals from IoT devices. The controller collects and lters data based on conguration parameters, and forwards the data to an Application Server for reporting. The AP3915i/e and AP3917i/e are equipped with IoT antennas. Additionally, the indoor model (AP3915i/e) is equipped with a smoke detector. D AP 3912 Wall Plate 2x2 11ac AP that is installed replacing other existing Ethernet wall plates with The AP3912 and AP3916 models are equipped with BLE radios that send iBeacon signals to IoT devices. AP 3916ic (Integrated Camera) 2x2 11ac AP with an integral security camera (2MP camera with resolution up to 1080p) that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. This fully featured access point can be mounted on the ceiling or wall. The integral ONVIF compatible security camera is connected to an internal wired Ethernet port. The AP3916ic provides ow based data handling for the wireless and wired connections. Enabled for ExtremeCloud support. raft one or two ports. One Ethernet port on the wall plate must be connected to the LAN1 uplink connection on the AP (black). This link provides AF or AT POE to the AP and uplink data connectivity to the network. The other Ethernet port on the wall plate can be connected to the pass-

through port on the AP (blue), allowing connection options for wired devices like IP phones. The AP3912 is intended to take advantage existing wired Ethernet outlets and a switch port. The AP3912 is installed over an existing wall plate, and it is connected to the existing cable / switch port. The AP offers an integrated BTLE/802.15.4 radio for connectivity to Internet of Things (IoT) sensors and devices. Enabled for ExtremeCloud support. Threat Detection and Prevention Capability As the potential for wireless security threats grows, APs must evolve to detect and counter hostile intrusion and attacks. The AP37xx, AP38xx, AP39xx and W78xC series of access points are designed to support Radar channel monitoring and are congurable for protection against detected attacks. The Radar and Mitigator functions are described in greater detail in Threat Detection and Prevention Features on page 105. Conguration of these functions on controllers is described in Working with ExtremeWireless Radar on page 563. Other differentiating features in an AP product series are the number of internal or external antennas

(see Antennas on page 102) or the number of radios the AP has (see Radios on page 103). Radios All wireless APs are equipped with at least two radios Radio 1 and Radio 2:

ExtremeWireless V10.41.06 User Guide 1103 Conguring the ExtremeWireless APs Radio 1 supports a 5 GHz radio band Radio 2 supports a 2.4 GHz radio band NNote The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. The AP39xx supports up to 1.7 Gbps on the 5 GHz radio and 600 Mbps on the 2.4 GHz radio using four spatial streams. The 38xx and AP37xx series radios (except AP3705i) support up to 450Mbps using three spatial streams. The radios are enabled or disabled through the Wireless Assistant. For more information, see Modifying 11n and 11ac Wireless AP Radio Properties on page 178. D The Unlicensed National Information Infrastructure (U-NII) bands all lie within the 5 GHz band, designed for short-range, high-speed, wireless networking communication. 802.11n APs support the full range of frequencies available in the 5 GHz band:

5150 to 5250 MHz - U-NII Low band 5250 to 5350 MHz - U-NII Middle Band 5470 to 5700 MHz - U-NII Worldwide 5725 to 5825 MHz - U-NII High Band Note 802.11n-compliant wireless APs can achieve link rates of up to 300 Mbps. You can congure the controller for this higher level link rate. For more information, see Achieving High Throughput with 11n and 11ac Wireless APs on page 187. raft The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. The AP3916 can be mounted on the ceiling, wall or in a junction/gang box. The integral ONVIF compatible security camera is connected to an internal wired Ethernet port, and the AP provides policy enforcement control for the wireless and wired connections. AP3916ic (Integrated Camera) The AP3916ic has the following specications:

Integrated 2MP camera with resolution up to 1080p, with manual view adjustment. Radios: Two concurrent Wi-Fi radios (2.4 GHz and 5 GHz) and one additional radio that can operate as Bluetooth or 802.15.4. Antennas: Four internal single band Wi-Fi antennas and one internal antenna for Bluetooth (BLE) or 802.15.4. LEDs: Six 802.3af compliant for full functionality. Optional AC adapter. ExtremeWireless V10.41.06 User Guide 104 Conguring the ExtremeWireless APs Supports the 802.11ac and 802.11n wireless standards, with full backward compatibility with legacy 802.11abg. 10/100/1000 Mbps operation. Adjustable mounting bracket (included) for drop-ceiling T-bar rail. Optional mounts can be purchased separately for junction/gang box, indoor wall and solid ceiling installation. Enabled for ExtremeCloud support. RRelated Links ExtremeWireless support for the AP3916ic:

Camera is powered by the AP3916i PoE power supply:

Camera port (CAM) can be assigned through policy to B@AP or B@AC virtual network service topologies. Default and specic assignment is supported. You can use policy denition and assignment to provide network segmentation for network access and camera (CAM) functions. client list to obtain a list of cameras under the appliance management. The AP3916ic's camera function is identied as "EXTR2MP-CAM" device type. Filter the appliance The controller provides factory reset and restart functions for the camera. D AP3916ic Integrated Camera Deployment on page 226 Upgrading the Camera Image Manually on page 237 AP3916ic-Camera Web User Interface on page 227 raft ExtremeWireless Appliances and the wireless APs they manage, provide Wireless Intrusion Detection Services (WIDS) and Wireless Intrusion Prevention Services (WIPS) to detect, report, and protect against potential wireless network attacks and threats such as rogue APs, AP spoong, honeypot APs, password cracking, man-in-the-middle, denial of service (DoS), and others. The latest generation of controllers and the APs (AP39xx, AP38xx, AP37xx and W78xC series) implement the Radar feature and its major functions:

Scanning channels for threat identication Analyzing and detecting a wide range of wireless security threats Taking active countermeasures (if congured to do so) against identied threats Validating WLAN (Wireless Local Area Network) Service conguration to protect against security Generating threat event reports and forwarding them to Extreme Management Center weakness Threat Detection and Prevention Features All APs can simultaneously perform channel bridging and scan (monitor) the channels they are bridging. These APs can also be congured (on their controller) to perform countermeasures against detected threats. Radar threat detection scanning of channels on the APs is congured on In-Service Scan Proles. You can congure APs to operate as full time Radar agents by adding them to a Guardian Scan Prole. When operating in this mode, they are referred to as "Guardians." Once assigned to the Guardian Scan Prole, the APs stop forwarding traffic on both radios and devote all of their resources to threat detection and countermeasures. Any AP added to a Guardian Scan Prole is done so in its entirety. Therefore, it is not possible to dedicate one radio to scanning, and the other to forwarding. Guardian AP ExtremeWireless V10.41.06 User Guide 105 Conguring the ExtremeWireless APs can scan on multiple channels, which you can congure from the SScan Prole Detection Settings user interface. The AP cannot scan or transmit on channels that are prohibited by the regulations of the countries in which it is deployed. Related Links Guardian Scan Prole Detection Settings on page 578 Working with ExtremeWireless Radar on page 563 802.11n- and 802.11ac-Compliant Access Point Features All 802.11n-compatible APs have the following features:

MIMO Wireless APs use MIMO (multiple input, multiple output) a technology that uses advanced signal processing with multiple antennas to improve throughput. MIMO takes advantage of multipath propagation to decrease packet retries to improve the delity of the wireless network. MIMO increases throughput by using multiple streams. D MIMO radios send out one, two or three radio signals through each antenna. Each signal is called a spatial stream. The antennas on the AP are deliberately spaced so that each spatial stream follows a slightly different path to the client device. Two spatial streams get multiplied into several streams as they bounce off obstructions in the vicinity. This phenomenon is called multipath. As the streams are bounced from different surfaces, they follow different paths to the client device. The client device also has multiple antennas. Each of the antennas independently decodes the arriving signal. Then the decoded signal from each antenna combines with the decoded signals from the other antennas. A software algorithm uses this redundancy to extract one or two spatial streams and enhances the signal to noise ratio of the streams. raft The client device also sends out one or two spatial streams through its multiple antennas. These spatial streams get multiplied into several steams as they bounce off the obstructions in the vicinity en route to the AP. MIMO receivers receive these multiple streams with three antennas. Each of the three antennas independently decodes the arriving signal. Then the decoded signal of each antennas is combined with the decoded signals from the other antennas. The receiving AP's MIMO receiver also uses redundancy to extract one or two spatial streams and enhances the streams' signal to noise ratio. ExtremeWireless V10.41.06 User Guide 106 Conguring the ExtremeWireless APs Operating with multiple antennas, an AP with MIMO is capable of picking up even the weakest signals from the client devices. Figure 11: MIMO in Wireless APs ft The AP39xx models offer Multi-User MIMO that enables Wave2 APs to communicate with multiple Wave2 clients concurrently, in the downstream direction. Up to 3 MU-MIMO conversations concurrently. Channel Bonding In addition to MIMO technology, the 802.11n-compliant APs have additional radio features that increase the effective throughput of the wireless LAN. Second-generation wireless APs use radio channels that are 20 MHz wide. The channels must be spaced at 20 MHz to avoid interference. The radios of 802.11n-

compliant wireless APs can use two channels at the same time to create a 40-MHz-wide channel. The 802.11ac radio of the AP38xx and AP39xx series can use four channels at the same time to create an 80-

MHz-wide channel. By using multiple 20-MHz channels in this manner, the wireless AP achieves more than double the throughput. The 40-MHz and 80-MHz channels in 802.11n and 802.11ac are adjacent 20-

ExtremeWireless V10.41.06 User Guide 1107 Conguring the ExtremeWireless APs MHz channels, bonded together. This technique of using multiple channels at the same time is called channel bonding. Shortened Guard Interval The purpose of the guard interval is to introduce immunity to propagation delays, echoes and reections of symbols in orthogonal frequency division multiplexing (OFDM) a method by which information is transmitted via a radio signal in APs. In OFDM, the beginning of each symbol is preceded by a guard interval. As long as the echoes fall within this interval, they do not affect the safe decoding of the actual data, as data is interpreted only outside the guard interval. Longer guard periods reduce the channel efficiency. 802.11n-compliant APs provide reduced guard periods, thereby increasing the throughput. RRelated Links MAC Enhancements D Wireless AP International Licensing 802.11n-compliant APs also have an improved MAC layer protocol that reduces overhead (in the MAC layer protocol) and contention losses, resulting in increased throughput. Licensing Considerations on page 108 To congure the appropriate radio band according to the country of operation, use the controller. For more information, see Conguring Wireless AP Properties on page 156. A wireless AP must be congured to operate on the appropriate radio band in accordance with the regulations of the country in which it is being used. For more information, see Regulatory Information on page 705. raft With ExtremeWireless v10.01 and later each controller is licensed in a specic domain. The domain licenses include:

FCC ROW MNT EGY The user interface reects the domain of the controller. The following are use cases for each domain:

A wireless appliance with an FCC license can manage access points deployed in the United States, Licensing Considerations Puerto Rico, or Colombia. A wireless appliance with a ROW license can manage access points deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. ExtremeWireless V10.41.06 User Guide 108 Conguring the ExtremeWireless APs A wireless appliance with a EGY license will continue to require ROW hardware, but the license will restrict country selection to Egypt only. A wireless controller with a EGY license can manage access points deployed in Egypt. NNote If upgrading from v10.21 with an EGY license, call customer support for assistance. A wireless appliance with a MNT license can manage only domain-locked access points, which are the AP39xx-FCC, AP39xx-ROW, and the AP3805i-FCC, AP3805i-ROW only. The FCC models must be deployed in the United States, Puerto Rico, or Colombia. The ROW must be deployed in any country except the United States, Puerto Rico, or Colombia. Note The AP37xx and AP38xx will NOT be able to connect to a controller licensed in the MNT domain. D First-time Conguration Guidelines Wireless AP Default IP Address Wireless APs are shipped from the factory with a default IP address 192.168.1.20. The default IP address simplies the rst-time IP address conguration process for APs. If an AP fails in its discovery process, it returns to its default IP address. This AP behavior ensures that only one AP at a time can use the default IP address on a subnet. For more information, see Discovery and Registration on page 120. Wireless APs can acquire their IP addresses by one of two methods:

DHCP assignment When an AP is powered on, it attempts to reach the DHCP (Dynamic Host Conguration Protocol) server on the network to acquire an IP address. If successful, the DHCP server assigns an IP address to the AP. raft If the DHCP assignment is not successful in the rst 60 seconds, the AP returns to its default IP address. DHCP assignment is the default method for AP conguration. DHCP assignment is part of the discovery process. For more information, see Discovery and Registration on page 120. The process repeats until the DHCP assignment is successful, or until an administrator assigns the After 30 seconds in the default IP address mode, it attempts again to acquire an IP address from AP an IP address, using static conguration. the DHCP server. Static conguration Use the static conguration option to assign a static IP address to a wireless AP. For more information, see the following section. You can establish an SSH session with an AP during the time window of 30 seconds when the AP returns to its default IP address mode. If a static IP address is assigned during this period, reboot the AP for the conguration to take effect. For more information, see Assigning a Static IP Address to a Wireless AP on page 110. ExtremeWireless V10.41.06 User Guide 109 Conguring the ExtremeWireless APs Assigning a Static IP Address to a Wireless AP Depending upon the network condition, you can assign a static IP address to a wireless AP using the Wireless Assistant (Controllers GUI). Refer to Setting Up the Wireless AP Using Static Conguration on page 199 for more information. Conguring Wireless APs for the First Time Before conguring an AP for the rst time, conrm that the following tasks have already been performed:

The ExtremeWireless Appliance has been installed and connected to the network. For more information, see Conguring the ExtremeWireless Appliance on page 31. The ExtremeWireless Appliance has been congured. For more information, see Conguring the ExtremeWireless Appliance on page 31. page 123. General Conguration Methods For installation information, refer to the respective AP Installation Guide. The wireless APs have been installed. D Once the APs are installed, continue with the AP initial conguration:

This section describes the methods you can use to modify the properties of APs in your network. 1 Dene parameters for the discovery process. For more information, see Wireless AP Registration on 2 Connect the AP to a power source to initiate the discovery and registration process. For installation information, refer to the respective AP Installation Guide. raft CCaution If you reset an AP to defaults, its Search List is deleted, regardless of the settings in Common Conguration. To congure a wireless AP with the system default AP settings:

From the top menu, click AP and select the AP to modify. 1 2 Click Reset to Defaults and click OK to conrm your changes. Modifying the Properties of Wireless APs Based on a Default AP Conguration To reset the AP to the default conguration, select AP Properties > Reset To Defaults. Modifying the Default Setting of Wireless APs Using the Copy to Defaults Feature The Copy to Defaults feature allows the properties of an already congured AP to become the systems default AP settings. To modify the system default AP settings based on an already congured AP:

1 From the main menu, click AP and select the AP whose properties you want to use as the default. You can modify the properties here if necessary. ExtremeWireless V10.41.06 User Guide 110 Conguring the ExtremeWireless APs 2 Click Copy to Defaults and click OK to conrm your changes. AP Multi-Edit Properties When you use the Multi-edit function, only options that are explicitly modied are changed by the update. The APs shown in the Wireless APs list are supported by various versions of software. Only attributes that are common between software versions are available for multi-edit. Setting an attribute that does not apply to an AP does not cause an abort of the multi-edit operation. Table 10: Multi-Edit AP Properties FField Description AP Properties Zone Poll Timeout Location D Dene the location of the AP. When a client roams to an AP with a different location, Area Notication is triggered. The Area Notication feature is designed to track client locations within pre-dened areas using either the Location Engine (for more information, see Conguring the Location Engine on page 609) or the AP Location eld. When the clients change areas, a notication is sent. Location functionality on the AP is useful when access to Extreme Management Center OneView is not available. Zone allows the RADIUS client to send the AP Zone name as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. Zone name is limited to 32 bytes. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. It can be easier to base authorization decisions on the zone label rather than on the BSSID. raft Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AAP Properties screen. For more information, see Session Availability on page 545. Type the timeout value, in seconds. The AP uses this value to trigger re-establishing the link with the Controller if the AP does not get an answer to its polling. The default value is 10 seconds. ExtremeWireless V10.41.06 User Guide 111 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Secure Tunnel This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:

Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/

TFTP/WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. D Note: This option is not available for AP3805 models. Debug mode An IPSEC tunnel is established from the AP to the Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. raft Enable or disable third-party location based services on this AP. ExtremeWireless supports the following third-party services:

AeroScout Ekahau Centrak Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Determines if the AP can be accessed remotely. Secure Tunnel Lifetime (hours) Remote Access Location-based Service Maintain client session in event of poll failure Restart service in the absence of controller Determines if the AP remains active when a link loss with the controller occurs. Select this option when using a bridged at AP VNS. This option is enabled by default. Determines if the APs radios continue providing service when the APs connection to the controller is lost. Select this option when using a bridged at AP VNS. When this option is enabled, the AP starts a bridged at AP VNS in the absence of a controller. ExtremeWireless V10.41.06 User Guide 112 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Use broadcast for disassociation LLDP Determines if the AP uses broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This setting affects the behavior of the AP when the AP is preparing to reboot or preparing to enter one of the special modes

(DRM initial channel selection). and when a BSSID is deactivated or removed on the AP. This option is disabled by default. Determines if the AP broadcasts LLDP (Link Layer Discovery Protocol) information. This option is disabled by default. If SNMP (Simple Network Management Protocol) is enabled on the controller and you enable LLDP, the LLLDP Conrmation dialog is displayed. Select one of the following:

Proceed (not recommended) Select this option to enable LLDP D Maintenance Guide. and keep SNMP running. Disable SNMP publishing, and proceed Select this option to enable LLDP and disable SNMP. For more information on enabling SNMP, see the ExtremeWireless Ensures that multicast data has the highest priority in the wireless network. Prioritizes multicast data to the level of voice data. This setting must be enabled when deploying healthcare patient monitoring devices. Determines if IP Multicast Assembly runs on the wireless AP. If enabled, IP Multicast Assembly joins together fragmented multicast data packets that are too large to t the MTU size of the tunnel header. This feature is disabled by default. raft Indicates the country of operation. The antenna you select determines the available channel list and the maximum transmitting power for the country in which the AP is deployed. Simplify power settings so settings function across all channels in the channel plan. Select the desired LED pattern from the drop-down list. Options include: Off, WDS Signal Strength, Identify, and Normal. The Professional Install option is only available for AP models with external antennas. The elds and corresponding antenna value options that appear on the PProfessional Install dialog depend on the selected AP and the antenna models that are available. Select an antenna for each available port. By default, the two antennas must be identical. However, you have the option to select No Antenna for the second antenna port. The AP3915e and AP3917e access point models offer an external IoT antenna. Select the antenna model from the drop-down eld. Choose the desired attenuation for each radio from the drop-

down list. Selectable range is from 0 to 30 dBI. Determines if the radio mode. Select On to enable the radio. Select Off to disable the radio. Multicast prioritized as voice IP Multicast Assembly Balanced Channel List Power LED Country Antennas Radio Settings Admin Mode ExtremeWireless V10.41.06 User Guide 113 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Radio Mode Channel Width Select the radio mode based on the type of AP. Available radio settings are dependent on the selected radio mode. Determines the channel width for the radio. Valid values are:

20 MHz Allows 802.11n clients to use the primary channel (20 MHz) and non-802.11n clients, beacons, and multicasts to use the 802.11b/g radio protocols. 40 MHz Allows 802.11n clients that support the 40 MHz frequency to use 40 MHz, 20 MHz, or the 802.11b/g radio protocols. 802.11n clients that do not support the 40 MHz frequency can use 20 MHz or the 802.11b/g radio protocols and non-802.11n clients, beacons, and multicasts use the 802.11b/g radio protocols. 80 MHz Allows 802.11ac clients to use the 80 MHz frequency. Applies to AP38xx and AP39xx Radio 1 only. Auto Automatically switches between 20 MHz, 40 MHz, and 80 D DTIM MHz channel widths, depending on how busy the extension channels are. Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. raft

(Request to Send/Clear to Send) handshake. Determines the maximum packet size, in bytes, that triggers a RTS/CTS handshake. The default value is 2346 (the maximum 802.11 frame size) which means all packets are sent without RTS/CTS. If the transmitted packet size is greater than the threshold value, the RTS/CTS handshake occurs. Otherwise, the data frame is sent immediately. Reduce this value only if necessary. Note: In order for RTS/CTS to take affect, the RTS threshold must be less than or equal to the Frag threshold. Determines the maximum packet size, in bytes, that triggers packet fragmentation. The default value is 2346. At 2346, all packets are sent unfragmented. Any value above the frag threshold triggers packet fragmentation by the AP prior to transmission. Denes a group of APs that cooperate in managing RF channels and transmission power levels. The maximum string length is 16 characters. Select Auto to use Automatic Channel Selection. For more information, see Dynamic Radio Management (DRM) on page 174. Beacon Period RTS/CTS (Bytes) Frag Threshold (Bytes) RF Domain Channel Auto Tx Power Control Determines if the AP automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your wireless APs. When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm adjusts the AP power between the Max Tx and Min Tx settings. When disabled, the radio uses the Max Tx Power value or the largest value in the compliance table,whichever is smaller. ExtremeWireless V10.41.06 User Guide 114 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Max Tx Power Min Tx Power Auto Tx Ctrl Adjust D Determines the maximum power level used by the radio in dBm. The values are governed by compliance requirements based on the country, radio, and antenna selected, and vary by AP. Changing this value below the current Min Tx Power value will lower the Min Tx Power to a level lower than the selected Max TX Power. If Auto Tx Power Ctrl (ATPC) is disabled, the radio uses the selected value or the largest value in the compliance table as the power level, whichever is smaller. Determines the minimum power level for the radio. Use the lowest supported value in order to not limit the potential Tx power level range that can be used. If ATPC is enabled, select the Min Tx power level that is equal or lower than the Max Tx power level. The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Determines if the AP automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your wireless APs. When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm adjusts the AP power between the Max Tx and Min Tx settings. When disabled, the radio uses the Max Tx Power value or the largest value in the compliance table,whichever is smaller. raft ExtremeWireless V10.41.06 User Guide 115 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Channel Plan If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:

All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-

DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:

3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 116 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Dynamic Channel Selection DCS Noise Threshold Determines behavior when traffic or noise levels exceed the congured DCS thresholds. Valid values are:

Monitor Mode An alarm is triggered and an information log is generated. Active Mode An alarm is triggered, an information log is generated, the AP stops operating on the current channel,and ACS automatically selects an alternate channel for the AP to operate on. Denes the noise interference limit, measured in dBm. If the noise interface exceeds this threshold, ACS scans for a new operating channel for the AP. Denes the channel utilization level, measured as a percentage. If the threshold is exceeded, ACS scans for a new operating channel for the AP. DCS Channel Occupancy Threshold D DCS Update Period (Minutes) Dynamic Channel Selection (DCS) events Denes a period of time, in minutes, where the average values for DCS Noise and Channel Occupancy are measured. If the average value for either setting exceeds the dened threshold for that setting, then the AP triggers Automatic Channel Scan (ACS). Indicates items that can affect DCS (Dynamic Channel Selection). Enable one or more events if they are part of the wireless network:

Bluetooth Microwave Cordless Phone Constant Wave Video Bridge raft When data collides on a given channel, CTS (clear to send) protection determines which device transmits at a given time. Auto. The default and recommended setting. None. Select if 11b APs and clients are not expected. Always. Select if you expect many 11b-only clients. Select a preamble type for 11b-specic (CCK) rates: Short, or Long. Click Short if you are sure that there is no 11b APs or client in the vicinity of this AP. Click Long if compatibility with 11b clients is required. Length of the delay (in seconds) before logging an alarm. Default setting is 10 seconds. A CTS (Clear to Send) packet is always sent out at the MBR (Minimum Basic Rate) congured for the radio. Protection is used when the sending rate (to the client) is greater than the congured protection rate. For example,if the protection rate is 11Mbps it means that 802.11 protection is used. Interference Wait Time Preamble Protection Mode Protection Rate ExtremeWireless V10.41.06 User Guide 117 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Probe Suppression D Protection Type Min Basic Rate Force Disassociate Select a protection type:

CTS (Clear to Send) Only. RTS (Request to Send) and CTS. Recommended when a 40 MHz or 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Denes the minimum data rate that must be supported by all stations in a BSS (Base Station Subsystem):

Select 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Select 6, 12, or 24 Mbps for 11g-only mode. Select 6, 12, or 24 Mbps for 11a mode. Used to remedy "sticky clients", that is clients that do not probe on other channels and remain associated to an AP when a better AP is available. Congure per radio (Enable/Disable and Threshold). Applies to AP37xx, AP38xx, and AP39xx series APs. Probe Suppression accomplishes the following:

RSS threshold (Adjustable Cell Size) Reduces the number of Probe Responses. Prevents clients with RSS below the threshold from associating. Field is available when Probe Suppression is enabled. This setting does the following:

Disassociates Sticky Clients Occurs 5dBm below the suppression threshold. Prevents clients from re-associating to the AP. Encourages/Forces roaming to a better AP. Congure per radio (Enable/Disable). raft Denes the maximum percentage of time that the AP transmits non-

unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. Restrict non-unicast traffic, to limit the impact of broadcasts and multicasts on overall system performance. 90 (Range of -50 to -100). Field is available when Probe Suppression is enabled. RSS Threshold (dBm) Max % of non-unicast traffic per Beacon period Optimized Multicast for power save Adaptable rate for Multicast Enables several performance enhancements applicable to clients in power save mode. One of these enhancements converts multicast to unicast for power save clients when the ratio of active to power save clients is sufficiently large. Determines if the AP tracks the lowest unicast transmission speed of any station currently associated to the AP. Multicast frames are then forwarded at that speed or at the Minimum Basic Rate, whichever is higher. ExtremeWireless V10.41.06 User Guide 118 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Multicast to Unicast delivery Determines if multicast packets are replaced by one unicast packet per destination station. Each unicast packet is transmitted at the highest speed the destination station will accept. Note: It is possible that some client devices will not handle frames properly when the L2 MAC is unicast and the L3 IP address is multicast in which case the "Multicast to Unicast Delivery" option should be disabled. Note: The AP converts a multicast frame to unicast frames only when it determines that it is more efficient to do so. With the exception of Optimized Multicast for power save these options can be enabled at any time without service disruption. Guard Interval 11n Radio Settings D Ensures that individual transmissions do not interfere with one another. It is the space between the symbols being transmitted. Selecting Short increases throughput, but can increase interference. Selecting Long can increase overhead due to additional idle time. The wireless 802.11n AP provides a shorter guard interval, which increases channel throughput. Long guard periods reduce channel efficiency. When data collides on a given channel, CTS (clear to send) protection determines which device transmits at a given time. Auto. The default and recommended setting. None. Select if 11b APs and clients are not expected. Always. Select if you expect many 11b-only clients. raft Select a protection type:

CTS (Clear to Send) Only. RTS (Request to Send) and CTS. Recommended when a 40 MHz or CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Determines MAC Service Data Unit (MSDU) aggregation. Enable to increase the maximum frame transmission size. Determines MAC Protocol Data Unit (MPDU) aggregation. Enable to increase the maximum frame transmission size, providing a signicant improvement in throughput. Protection Mode Protection Type Extension Channel Busy Threshold Aggregate MSDUs Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames Denes the maximum length of the MAC Protocol Data Unit (MPDU) aggregation. Valid values range from 1024-65535 bytes. For the 802.11ac radio (Radio 1 of the AP38xx), the range is 1024-1048575. Determines the maximum number of sub frames in the aggregate MAC Protocol Data Unit (MPDU). Valid value range is 2-64. The default value and recommended value is 64. Setting this value to 64 results in less overhead and higher throughput. ExtremeWireless V10.41.06 User Guide 119 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description ADDBA Support LDPC STBC TXBF Block acknowledgement. Provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate MPDU is enable. Increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. Space Time Block Coding. A simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1 (two spatial streams combined into one spatial stream). TXBF overrides STBC if both are enabled for single stream rates. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1. The valid values are: MU_MIMO and Disabled. D Static Conguration EWC Search List Tunnel MTU WLAN Assignments WLAN Assignment Option Denes the list of IP addresses that the AP is congured to try to connect to in the event that the current connection to the controller is lost. Maximum transmission unit. Determines the largest packet size than can be transmitted by an IP interface without the packet needing to be broken down into smaller units. raft Determines action on the WLAN assignment list associated with one or more APs. Valid values are Clear WLAN List or Recongure WLAN List. Warning Only use power supplies that are recommended by Extreme Networks. When a wireless AP is powered on, it automatically begins a discovery process to determine its own IP address and the IP address of the controller. When the discovery process is successful, the AP registers with the controller. For more information, see Figure 12. Discovery and Registration ExtremeWireless V10.41.06 User Guide 120 Conguring the ExtremeWireless APs ft Figure 12: Wireless AP Discovery Process Wireless AP Discovery Wireless APs discover the IP address of a controller using a sequence of mechanisms that allow for the possible services available on the enterprise network. The discovery process is successful when the AP successfully locates a controller to which it can register. ExtremeWireless V10.41.06 User Guide 1121 Conguring the ExtremeWireless APs Ensure that the appropriate services on your enterprise network are prepared to support the discovery process. The following steps are used to nd a known controller:

1 Use the predened static IP addresses for the controllers on the network (if congured). You can specify a list of static IP addresses of the controllers on your network. On the Static Conguration tab, add the addresses to the Wireless Controller Search List. CCaution Wireless APs congured with a static Wireless Controller Search List can connect only to controllers in the list. Improperly congured APs cannot connect to a non-existent controller address, and therefore cannot receive a corrected conguration. 2 Use the IP address of the controller to which the AP last connected successfully. Once an AP has successfully registered with a controller, it recalls that controller's IP address, and uses that address on subsequent reboots. The AP bypasses discovery and goes straight to registration. D If a known controller cannot be located, the following discovery process steps should be followed:

3 Use DHCP Option 60 to query the DHCP server for available controllers. The DHCP server responds to the AP with Option 43, which lists the available controllers. For the DHCP server to respond to an Option 60 request from an AP, congure the DHCP server with the vendor class identier (VCI) for each AP. Also, congure the DHCP server with the IP addresses of the controllers. For more information, refer to the Getting Started Guide. 4 Use a Domain Name Server (DNS) lookup for the host name Controller.domain-name. raft The AP sends a multicast SLP request, looking for any SLP Service Agents providing the Extreme Networks service. If you use this method for discovery, place an A record in the DNS server for Controller.<domain-

name>. The <domain-name> is optional, but if used, ensure it is listed with the DHCP server. 6 Use DHCP Option 78 to locate a Service Location Protocol (SLP) Directory Agent (DA), followed by a The AP tries the DNS server if it is congured in parallel with SLP unicast and SLP multicast. The AP tries SLP multicast in parallel with other discovery methods. 5 Use a multicast SLP request to nd SLP SAs unicast SLP request to the Directory Agent. To use the DHCP and unicast SLP discovery method, ensure that the DHCP server on your network supports Option 78 (DHCP for SLP RFC2610). The APs use this method to discover the controller. This solution takes advantage of two services that are present on most networks:

DHCP The standard is a means of providing IP addresses dynamically to devices on a network. SLP A means of allowing client applications to discover network services without knowing their location beforehand. Devices advertise their services using a Service Agent (SA). In larger installations, a Directory Agent (DA) collects information from SAs and creates a central repository (SLP RFC2608). ExtremeWireless V10.41.06 User Guide 122 Conguring the ExtremeWireless APs The controller contains an SLP SA that, when started, queries the DHCP server for Option 78 and if found, registers itself with the DA as service type Extreme Networks. The controller contains a DA (SLPD). The AP queries DHCP servers for Option 78 to locate any DAs. The SLP User Agent for the AP then queries the DAs for a list of Extreme Networks SAs. Option 78 must be set for the subnets connected to the ports of the controller and the subnets connected to the APs. These subnets must contain an identical list of DA IP addresses. Wireless AP Registration To dene the discovery process parameters:

From the top menu, click AP. 1 2 In the left pane, click Global > Registration. D The following screen appears:

raft 3 Congure the following parameters:

Security Mode The Allow all Wireless APs to connect option is selected by default. For more information, see Security Mode on page 124. Allow only approved Wireless APs to connect Discovery Timers . The discovery timer parameters dictate the number of retry attempts and the time delay between each attempt. Number of retries ExtremeWireless V10.41.06 User Guide 1123 Conguring the ExtremeWireless APs Delay between retries The number of retries is limited to 255 for the discovery. The default number of retries is 3, and the default delay between retries is 3 seconds. SSH Access Set up a Secure Shell password. Click Unmask to display the password as you type. Password Conrm Password Secure Cluster Security Mode Cluster Shared Secret. A common, default cluster ID. Click Unmask to display the shared secret value. Check Use Cluster Encryption . If you disable cluster encryption, the AP cannot participate in the D the diagnostic slpdump tool. cluster. 5 From the Wireless AP Registration screen, click Save to save your changes. 4 Click View SLP Registration to conrm SLP Registration. A screen appears displaying the results of Once the discovery parameters are dened, you can connect the AP to a power source. For instructions on connecting and powering an AP, refer to the Installation Guide for the specic AP. raft If the controller does not recognize the registering serial number, a new registration record is automatically created for the AP (if within MDL license limit). The AP receives a default conguration. The default conguration can be the default template assignment. If the controller recognizes the serial number, it indicates that the registering device is pre-

registered with the controller. The controller uses the existing registration record to authenticate the AP and the existing conguration record to congure the AP. Security mode denes how the controller behaves when registering new, unknown devices. During the registration process, the controllers approval of the APs serial number depends on the security mode that has been set:

Allow all APs to connect Allow only approved APs to connect (this is also known as secure mode) If controller does not recognize the AP, the AP's registration record is created in pending state (if within MDL limits). The administrator is required to manually approve a pending AP for it to provide active service. The pending AP receives minimum conguration only, which allows it to maintain an active link with the controller for future state change. The AP's radios are not congured or enabled. Pending APs are not eligible for conguration operations (VNS Assignment, default template, Radio parameters) until approved. If the controller recognizes the serial number, the controller uses the existing registration record to authenticate the AP. Following successful authentication, the AP is congured according to its stored conguration record. ExtremeWireless V10.41.06 User Guide 1124 Conguring the ExtremeWireless APs During the initial setup of the network, Extreme Networks recommends that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of APs registered with the controller. Once the initial setup is complete,Extreme Networks recommends that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved APs are allowed to connect. For more information, see Conguring Wireless AP Properties on page 156. Registration After Discovery Any of the discovery steps 2 through 6 can inform the AP of a list of multiple IP addresses to which the AP may attempt to connect. Once the AP has discovered these addresses, it sends out connection requests to each of them. These requests are sent simultaneously. The AP attempts to register only with the rst which responds to its request. When the AP obtains the IP address of the controller, it connects and registers, sending its serial number identier to the controller, and receiving from the controller a port IP address and binding key. D Once the AP is registered with a controller, congure the AP. After the AP is registered and congured, you can assign it to one or more Virtual Network Services (VNS) to handle wireless traffic. The AP is registered with Secure mode and Un-secure mode. For new APs, that option is set in AAP Default Settings dialog. raft Viewing a List of All APs To view a list of all APs:

ExtremeWireless V10.41.06 User Guide 125 Conguring the ExtremeWireless APs 1 From the top menu, click AP. aft

. Search for any part of the AP string, any column of the AP list. Results:

APs that match the search criteria appear. Select one or more APs and apply actions to selected APs. 2 At the top of the screen, enter search criteria and click APs that match the search criteria are displayed in the list. 3 To take action on one or more APs, select the check box for the AP and select an action from the Actions button. For more information, see AP Actions on page 128. 4 To view AP properties, click the AP row (not the check box). AP details are displayed. 5 Click Congure to display AP properties. For more information, see AP Properties Tab Conguration on page 159. 6 To add a new AP to the list, click New > Create. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. 7 To add a new AP as a clone of an existing AP, click New > Clone. For more information, see Creating a Clone AP on page 133. ExtremeWireless V10.41.06 User Guide 1126 Conguring the ExtremeWireless APs RRelated Links AP Search Facility on page 127 Understanding AP Status on page 127 AP Actions on page 128 Radio Actions on page 130 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP on page 134 AP Properties Tab Conguration on page 159 Related Links AP Actions on page 128 Radio Actions on page 130 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP on page 134 Understanding AP Status on page 127 AP Search Facility Search for any part of the AP string, any column of the AP list. Results:

APs that match the search criteria appear. Select one or more APs and apply actions to selected APs. D To search, do the following:

1 Go to AP > APs. 2 At the top of the screen, enter search criteria and click APs that match the search criteria are displayed in the list. raft Understanding AP Status The full AP list can be ltered to display just Foreign APs or just Local APs. When displaying a list of all APs, the value in the Status column is limited to Foreign or Local. In the left pane, click the Foreign or Local link to lter the list respectively. When the list is ltered, the value in the Status column changes. Possible statuses for Local APs include:

Pending. (You cannot view AP properties for Pending APs.) Active In-Active Possible statuses for Foreign APs include:

Active In-Active ExtremeWireless V10.41.06 User Guide 127 Conguring the ExtremeWireless APs For information about changing an AP's status, see AP Actions on page 128. AP Actions Take the following actions from the AP Actions button. D Figure 13: AP Actions button Description raft Select from the list of AP version images and apply to selected APs. If more than one AP is selected, the upgrade image must be common between the selected APs. If not, message displays indicating no common image. To upgrade without interrupting service, click Upgrade without interrupting service. If you click this option while the upgrade scheduler is running, the schedule is interrupted, and the current upgrade cycle calculates a new schedule that includes APs that weren't upgraded. Download appropriate image or select different APs. For information on downloading an upgrade image, see Downloading a new Wireless AP Software Image on page 240. Opens MMulti Edit dialog for selected APs. Conguration changes are applied to selected APs only. For more information, see AP Multi-Edit Properties on page 111. Opens CCerticates screen for selected APs. Conguration changes are applied to selected APs only. For more information, see Managing Certicates on page 211 Approve A Wireless AP's status changes from Pending to Approve if the AAP Registration screen was congured to register only approved APs. Release foreign APs after recovery from a failover. Releasing an AP corresponds to the Availability function. For more information, see Availability and Session Availability on page 537. Change Status to Pending AP is removed from the Active list, and is forced into discovery. Table 11: AP Actions FField Image Upgrade Multi Edit Manage Certicates Approve Release Pending ExtremeWireless V10.41.06 User Guide 128 Conguring the ExtremeWireless APs Table 11: AP Actions (continued) FField Description Reboot Restart selected APs without using SSH to access it. On-demand Background Scan Set Country Apply WLAN To verify channel assignments and review channel details without having to run a full ACS, run an on-demand background scan. For more information, see Running a Background Scan on page 638. Select from a list of countries and apply the command to the selected APs. You are prompted to conrm your selection. The AApply WLAN dialog appears. Select the radio for each congured WLAN Service for the selected AP. List can contain 128 WLAN Services. You are prompted to conrm your selection. For AP3912 only, you can select the client port for each service.For the AP3916 only, you can select CAM on each service. For AP3916 only. Restarts the camera on the AP. Reboot Camera D Reset Camera Multi Edit - IoT Related Links IoT Multi-Edit Conguration on page 129 IoT Thread Gateway on page 196 Modifying the Status of a Wireless AP on page 156 Assigning WLAN Services to Client Ports on page 170 Applying WLAN Service Congure more than one AP for IoT support. For AP3916 only. Resets the camera to factory default settings. After the camera is reset, a DHCP server is required to reassign IP addresses to the camera. raft Related Links Assigning WLAN Services to Client Ports on page 170 IoT Multi-Edit Conguration Congure more than one AP at a time for IoT support. Select the radio for each congured WLAN Service for the selected AP. List can contain 128 WLAN Services. You are prompted to conrm your selection. For AP3912 only, you can select the client port for each service. 1 Select the check box next to more than one AP that supports the IoT. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. ExtremeWireless V10.41.06 User Guide 129 Conguring the ExtremeWireless APs 2 Click Actions > Multi Edit - IoT. RRelated Links D Figure 14: Multi-Edit - IoT Action Conguring AP as an iBeacon on page 190 Conguring iBeacon Scan on page 192 Conguring AP as an Eddystone-url Beacon on page 194 Conguring Eddystone-url Scan on page 195 Advanced Thread Gateway Properties on page 198 3 Select Enable from the IoT Admin eld. 4 Select a value from the Application eld. Valid values are iBeacon, iBeacon Scan, Eddystone-url Beacon, Eddystone-url Scan, or Thread Gateway. Resulting parameters depend on the application you select here. raft Take the following actions from the Radio Actions button for the appropriate radio. Radio Actions Figure 15: Radio 1 Actions ExtremeWireless V10.41.06 User Guide 130 Conguring the ExtremeWireless APs Figure 16: Radio 2 Actions button Table 12: Radio Actions FField Set Tx Power Description D Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. First, congure the selected APs to the same radio mode and same channel width before setting Tx Power here. When selected APs are congured for the same width/mode, the SSet Tx Power dialog displays the width/mode and you are able to set the Tx power and channel. For more information, see Conguration Parameters for Radio Properties on page 180. Apply this command to selected APs. For more information about ACS, see Dynamic Radio Management (DRM) on page 174. Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. For more information, see Conguration Parameters for Radio Properties on page 180. raft Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. For more information, see Conguration Parameters for Radio Properties on page 180. Auto Channel Select Set Radio Mode Set Channel Width Related Links Conguration Parameters for Radio Properties on page 180 Dynamic Radio Management (DRM) on page 174 New Button -- Adding and Registering a Wireless AP You can manually add and register a wireless AP to the controller, but the AP must still go through the automatic discovery and registration process to locate the controller. The AP may skip the discovery process if it has a static list, or has previously connected and registered with the controller. When you manually add and register an AP, the system applies the default settings to the AP. After the system registers the AP, you can go in and edit its conguration settings (see Conguring Wireless AP Properties on page 156). To add and register an AP manually:

1 From the top menu, click AP. ExtremeWireless V10.41.06 User Guide 131 Conguring the ExtremeWireless APs Regardless of the tab that you click on, the New button displays at the bottom of the page. 2 Click New and select Create or Clone. CCreate Displays the AAdd Wireless AP dialog. For eld descriptions, see Table 13 on page 133. Clone Displays the CClone AP dialog. See Creating a Clone AP on page 133. The AAdd Wireless AP screen displays. raft ExtremeWireless V10.41.06 User Guide 132 Conguring the ExtremeWireless APs Table 13: Add Wireless AP FField Description Serial #

Hardware Type Type the unique identier of the AP. Select the hardware model of this AP from the drop-down menu. With ExtremeWireless v10.01 each controller is licensed in a specic domain. There are three types of domain licenses: FCC, ROW, EGY, and MNT. The ExtremeWireless user interface reects the domain of the controller. The following are use cases for each domain:

A wireless controller with an FCC license can manage AP37xx, AP38xx, and AP39xx-FCC. These access points can be deployed in the United States, Puerto Rico, or Colombia. A wireless controller with a ROW license can manage AP37xx, AP38xx, and AP39xx-ROW. These access points can be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. D AP38xx, and AP39xx-EGY. A wireless controller with a EGY license can manage AP37xx, Note: The AP37xx and AP38xx cannot connect to a controller licensed in the MNT domain. A wireless controller with a MNT license can manage only domain-

locked access points, which are the AP39xx-FCC and the AP39xx-

ROW only. The AP39xx-FCC must be deployed in the United States, Puerto Rico, or Colombia. The AP39xx-ROW must be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. raft Click to add the AP with default settings. You can later modify these settings. When an AP is added manually, it is added to the controller database only and does not get assigned. Type a unique name for the AP that identies the access point. The default value is the APs serial number. Enter a description of this AP. Click to close this window. Conguring Wireless AP Properties on page 156 Creating a Clone AP on page 133 Name Description Add Wireless AP Close Related Links Creating a Clone AP Create a new AP with the same type and conguration as the selected AP. Only one AP can be selected for the Clone action. Select an AP from the AP list and click New > Clone. 1 2 Enter the Serial # and Name of the new clone AP. 3 Click Apply. Related Links ExtremeWireless V10.41.06 User Guide 133 Conguring the ExtremeWireless APs Viewing a List of All APs on page 125 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP To delete an AP from the controller AP list:

1 Go to AP > APs. 2 Select the APs to delete. 3 Click Delete. Wireless AP Default Conguration Conguring the Default Wireless AP Settings Default wireless AP conguration acts as a conguration template that can be automatically assigned to new registering APs. The default AP conguration allows you to specify common sets of radio conguration parameters and VNS assignments for APs. D Wireless APs are added with default settings. You can modify the systems AP default settings, and then use these default settings to congure newly added APs. In addition, you can base the AP default settings on an existing AP conguration or you can make pre-congured APs inherit the properties of the default AP conguration when they register with the system. Each AP model has its own tab:

Common Conguration Congure common conguration, such as WLAN assignments and static conguration options for all APs. See Conguring Common Conguration Default AP Settings on page 135. raft AP38xx Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP3801 Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP37xx W78xC Congure the default settings for the Radar series APs. See Conguring AP37xx, AP37xx Dual Band Congure the default settings for the Radar series APs. See Conguring AP37xx Dual Band Default Settings on page 145 AP38xx Default AP Settings on page 143. AP3801 Default AP Settings on page 143. W78xC Default AP Settings on page 146. AP3805 Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP3805 Default AP Settings on page 144. AP3912 Congure the default settings for the ExtremeWireless wall plate AP. See Conguring AP3912 Default AP Settings on page 139. AP3915 Congure the default settings for the ExtremeWireless AP3915, BLE Radio enabled AP. See Conguring AP3915 Default AP Settings on page 138. AP3916ic Congure the default settings for the ExtremeWireless Integrated Camera AP. See Conguring AP3916 Default AP Settings on page 137. AP3917 Congure the default settings for the ExtremeWireless AP3917, BLE Radio enabled AP. See Conguring AP3917 Default AP Settings on page 136. ExtremeWireless V10.41.06 User Guide 134 Conguring the ExtremeWireless APs AP3935 Congure the default settings for the ExtremeWireless indoor series AP. See Conguring AP3935 Default AP Settings on page 140. AP3965 Congure the default settings for the ExtremeWireless outdoor series AP. See Conguring AP3965 Default AP Settings on page 142. Conguring Common Conguration Default AP Settings To congure common conguration default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. The Common Conguration tab is displayed. D raft NNote Ports 1, 2, and 3, are available on the AP3912. Port 1 is the port that corresponds to the Camera (CAM) function of the AP3916ic. 3 In the Static Conguration section, you can specify an EWC search list or use the search list provided from the AP. Do one of the following:

Check Learn EWC Search List from AP to accept the AP's search list, or clear the check box to specify a common search list for all APs. For more information about creating an EWC Search List, see Table 22 on page 201. ExtremeWireless V10.41.06 User Guide 135 Conguring the ExtremeWireless APs 4 In the WLAN Assignments section, you can associate a WLAN assignment to a radio. If the controller is in an availability pair, you can apply default WLAN assignments to foreign APs, by selecting the Apply default WLAN assignments to foreign APs check box. For more information, see Availability on page 537. To associate a WLAN Service in the list to a radio and or a client port, select the check box matching the radio and or port for the selected WLAN. One WLAN can be assigned per port. The assignment enables the port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. Note Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. Related Links 5 Click Save Settings. D Conguring Airtime Fairness: Reservation Mode on page 406 Conguring AP3917 Default AP Settings To congure AP3917 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. raft ExtremeWireless V10.41.06 User Guide 136 Conguring the ExtremeWireless APs 3 Click the AP3917 FCC tab. raft Figure 17: AP3917 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3916 Default AP Settings To congure AP3916 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1137 Conguring the ExtremeWireless APs 3 Click the AP3916 ROW tab. aft Figure 18: AP3916 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3915 Default AP Settings To congure AP3915 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1138 Conguring the ExtremeWireless APs 3 Click the AP3915 FCC tab. raft Figure 19: AP3915 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3912 Default AP Settings To congure AP3912 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1139 Conguring the ExtremeWireless APs 3 Click the AP3912 FCC tab. ft Figure 20: AP3912 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3935 Default AP Settings ExtremeWireless 10.01 associates the license key to a specic Wireless Controller, and each license key applies to a specic regulatory domain (FCC or ROW). The FCC domain operates in the United States, ExtremeWireless V10.41.06 User Guide 1140 Conguring the ExtremeWireless APs Colombia and Puerto Rico. The ROW domain operates outside these countries. The AP3935 can be licensed to operate within an FCC or ROW regulatory domain. To congure AP3935 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP3935 FCC tab. ft Figure 21: AP3935 FCC Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. ExtremeWireless V10.41.06 User Guide 1141 Conguring the ExtremeWireless APs Conguring AP3965 Default AP Settings ExtremeWireless 10.01 associates the license key to a specic Wireless Controller, and each license key applies to a specic regulatory domain (FCC or ROW). The FCC domain operates in the United States, Colombia and Puerto Rico. The ROW domain operates outside these countries. The AP3965 can be licensed to operate within an FCC or ROW regulatory domain. To congure AP3965 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP3965 FCC tab. D Figure 22: AP3965 FCC Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. ExtremeWireless V10.41.06 User Guide 1142 Conguring the ExtremeWireless APs 5 To save your changes, click Save Settings. Conguring AP38xx Default AP Settings To congure AP38xx default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP38xx tab. ft Figure 23: AP38xx Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP3801 Default AP Settings To congure AP3801 default AP settings:

1 From the top menu, click AP. ExtremeWireless V10.41.06 User Guide 1143 Conguring the ExtremeWireless APs 2 In the left pane, click Global > Default Settings. 3 Click the AP3801 tab. raft Figure 24: AP3801 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP3805 Default AP Settings To congure AP3805 default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1144 Conguring the ExtremeWireless APs 3 Click the AP3805 ROW tab. raft Figure 25: AP3805 Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP37xx Dual Band Default Settings This AP37xx prole supports two concurrent Wi-Fi radios (2.4 GHz and 5 GHz). To congure AP37xx default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1145 Conguring the ExtremeWireless APs 3 Click the AP37xx tab. raft Figure 26: AP37xx Default Settings 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP37xx, W78xC Default AP Settings To congure AP37xx, W78xC default AP settings:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1146 Conguring the ExtremeWireless APs 3 Click the AP37xx W78xC tab. raft 4 Congure the following Default AP Settings as required:

AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. Figure 27: AP37xx W78xC Default Settings 5 Click Save Settings. ExtremeWireless V10.41.06 User Guide 1147 AP Default Settings Table 14: AP Default Settings FField LLDP Conguring the ExtremeWireless APs Description AP Properties Determines if the AP broadcasts LLDP information. This option is disabled by default. If SNMP is enabled on the controller and you enable LLDP, the LLLDP Conrmation dialog is displayed. Select one of the following:

Proceed (not recommended) Enables LLDP and keeps SNMP

(Simple Network Management Protocol) running. Disable SNMP publishing, and proceed Enables LLDP and For more information on using SNMP, see the Extreme Networks ExtremeWireless Maintenance Guide disables SNMP. D Announcement Interval Note: Announcement Interval is not applicable on all AP models. Determines how often the AP advertises its information by sending a new LLDP (Link Layer Discovery Protocol) packet when LLDP is enabled. This value is measured in seconds. If there are no changes to the AP conguration that impact the LLDP information, the AP sends a new LLDP packet according to this schedule. Determines the length of time that delays the new packet delivery. The announcement delay helps minimize LLDP (Link Layer Discovery Protocol) packet traffic when LLDP is enabled. This value is measured in seconds. If a change to the AP conguration occurs which impacts the LLDP information, the AP sends an updated LLDP packet. raft Determines the lifespan of the LLDP (Link Layer Discovery Protocol) packet. The Time to Live value is calculated as four times the Announcement Interval value. It cannot be directly edited. Note: Announcement Delay is not applicable on all AP models. Note: Time to Live is not applicable on all AP models. Select On to enable this radio; Select Off to disable this radio. Radio Settings (Radio 1 and Radio 2) Select the country of operation. Click the radio mode based on the type of AP. For more information on the available Radio modes, see Conguring Wireless AP Radio Properties on page 174. The available radio settings are dependent on the radio mode you select. Announcement Delay Time to Live Country Admin mode Radio mode ExtremeWireless V10.41.06 User Guide 148 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Channel Width D RF Domain Auto Tx Power Ctrl (ATPC) Click the channel width for the radio:

20 MHz Click to allow 802.11n clients to use the primary channel

(20 MHz) and non-802.11n clients, beacons, and multicasts to use the 802.11b/g radio protocols. 40 MHz Click to allow 802.11n clients that support the 40 MHz frequency to use 40 MHz, 20 MHz, or the 802.11b/g radio protocols. 802.11n clients that do not support the 40 MHz frequency can use 20 MHz or the 802.11b/g radio protocols and non-802.11n clients, beacons, and multicasts use the 802.11b/g radio protocols. 80 MHz Click to allow 802.11ac clients to use the 80MHz frequency. Applies to AP38xx and AP39xx Radio 1 only. Auto Click to automatically switch between 20 MHz, 40 MHz, and 80 MHz channel widths, depending on how busy the extension channels are. Uniquely denes a group of APs that cooperate in managing RF channels and transmission power levels. The maximum length of the string is 16 characters. Determines if the AP will automatically adapt transmission power signals. Click to either enable or disable ATPC from the Auto Tx Power Ctrl drop-down list. ATPC automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your Wireless APs. raft Click the appropriate Tx power level from the Max TX Power drop-

down list. The values in the Max TX Power drop-down are in dBm and will vary by AP. The values are governed by compliance requirements based on the country, radio, and antenna selected. Changing this value below the current Min Tx Power value will change the Min Tx Power to a level lower than the selected Max TX Power. Note: When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm will adjust the AP power between Max Tx power and Min Tx Power. When disabled, the Max Tx Power selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Note: If Auto Tx Power Ctrl (ATPC) is disabled, the selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. If ATPC is enabled, select the minimum Tx power level that is equal or lower than the maximum Tx power level. We recommend that you use the lowest supported value if you do not want to limit the potential Tx power level range that can be used. Note: The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Max Tx Power Min Tx Power ExtremeWireless V10.41.06 User Guide 149 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Auto Tx Power Ctrl Adjust The Auto Tx Power Ctrl Adj parameter is a correction parameter that allows you to manually adjust (up or down) the Tx Power calculated by the ATPC algorithm. If ATPC is enabled, click the Tx power level that can be used to adjust the ATPC power levels that the system has assigned. Extreme Networks recommends that use 0 dB during your initial conguration. If you have an RF plan that recommends Tx power levels for each AP, compare the actual Tx power levels your system has assigned against the recommended values your RF plan has provided. Use the Auto Tx Power Ctrl Adjust value to achieve the recommended values. Valid range is from -(Max Tx Power - Min Tx Power) dB to (Max Tx Power - Min Tx Power) dB. D raft ExtremeWireless V10.41.06 User Guide 150 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Channel Plan If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:

All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-

DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:

3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 151 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Antenna Selection Antenna Selection Click the antenna, or antenna combination, you want to congure on this radio. When you congure 11n Wireless APs to use specic antennas, the transmission power is recalculated; the Current Tx Power Level value for the radio is automatically adjusted to reect the recent antenna conguration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reected in the ExtremeWireless Assistant. Also, the radio is reset causing client connections on this radio to be lost. Note: Antenna Selection is not applicable on all AP models. Advanced dialog AP Properties Poll Timeout D Secure Tunnel Type the timeout value, in seconds. The AP uses this value to trigger re-establishing the link with the controller if the AP does not get an answer to its polling. The default value is 10 seconds. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AAP Properties screen. For more information, see Session Availability on page 545. This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:

Disabled Secure Tunnel is turned off and no traffic is encrypted. raft Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. is established from the AP to the controller and all SFTP/SSH/

TFTP/WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Debug mode An IPSEC tunnel is established from the AP to the Note: This option is not available for AP3805 models. controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. ExtremeWireless V10.41.06 User Guide 152 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Secure Tunnel Lifetime Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Remote Access Location-based Service Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Click to Enable or Disable SSH to the AP. Click to Enable or Disable location-based service on this AP. Location-

based service allows you to use this AP with an AeroScout or Ekahau solution. Maintain client sessions in event of poll failure D Restart service in the absence of controller Use broadcast for disassociation Click to Enable or Disable (using a bridged at AP VNS) the AP remains active if a link loss with the controller occurs. This option is disabled by default. modes (DRM initial channel selection). If a BSSID is deactivated or removed on the AP. This option is disabled by default. Click to Enable or Disable (if using a bridged at AP VNS) to ensure the AP continues providing service if the APs connection to the controller is lost. If this option is enabled, it allows the AP to start a bridged at AP VNS even in the absence of a controller. Click to Enable or Disable if you want the AP to use broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This affects the behavior of the AP under the following conditions:

If the AP is preparing to reboot or to enter one of the special raft Click to Enable or Disable multicast frames assembling for groups of APs using AP Multi-editing settings (for more information, see AP Multi-Edit Properties on page 111 ). This simplies power settings such that they will function across all channels in the channel plan. Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. Select the desired LED pattern from the drop-down list. Options include: Off, WDS Signal Strength, Identify, and Normal. Radio Settings IP Multicast Assembly Balanced Channel List Power:

Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the packet size threshold, in bytes, above which the packet will be preceded by an RTS/CTS (Request to Send/Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. Type the fragment size threshold, in bytes, above which the packets will be fragmented by the AP prior to transmission. The default value is 2346, which means all packets are sent un-fragmented. LED DTIM Beacon Period RST/CTS Frag. Threshold ExtremeWireless V10.41.06 User Guide 153 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Dynamic Channel Selection DCS Noise Threshold Click one of the following:

Monitor Mode If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. Active Mode If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. In addition, the AP ceases operating on the current channel and ACS automatically selects an alternate channel for the AP to operate on. Type the noise interference level, measured in dBm, after which ACS scans for a new operating channel for the AP if the threshold is exceeded. DCS Channel Occupancy Threshold D DCS Update Period Type the channel utilization level, measured as a percentage, after which ACS scans for a new operating channel for the AP if the threshold is exceeded. Type the time, measured in minutes that determines the period during which the AP averages the DCS Noise Threshold and DCS Channel Occupancy Threshold measurements. If either one of these thresholds is exceeded, then the AP triggers ACS. Enable or disable the following DCS Events:

Bluetooth Microwave Cordless Phone Constant Wave Video Bridge raft Click a protection rate: 1, 2, 5.5, or 11 Mbps. The default and recommended setting is 11. Only reduce the rate if there are many 11b clients in the environment or if the deployment has areas with poor coverage. For example, rates lower than 11 Mbps are required to ensure coverage. Click a preamble type for 11b-specic (CCK) rates: Short, or Long. Click Short if you are sure that there is no 11b APs or client in the vicinity of this AP. Click Long if compatibility with 11b clients is required. Length of the delay (in seconds) before logging an alarm. Default setting is 10 seconds. Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection type, CTS Only or RTS CTS, when a 40 MHz or 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Interference Wait Time Preamble Protection Rate Protection Mode Protection Type DCS Interference Event

(appears if Dynamic Channel Selection is enabled) ExtremeWireless V10.41.06 User Guide 154 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Max % of non-unicast traffic per Beacon period Enter the maximum percentage of time that the AP transmits non-

unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. By restricting non-

unicast traffic, you limit the impact of broadcasts and multicasts on overall system performance. Optimized Multicast for power save Click to optimize for power save. Adaptable rate for Multicast Click to enable adaptable rate capabilities. Multicast to Unicast delivery Click to set the Multicast to Unicast delivery method from the drop-

down list. D Min. Basic Rate Enhanced Rate Control 11n Settings Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. For each radio, click the minimum data rate that must be supported by all stations in a BSS:

Click 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Click 6, 12, or 24 Mbps for 11g-only mode. Click 6, 12, or 24 Mbps for 11a mode. raft Click a protection type, CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Type the maximum length of the aggregate MPDU. The value range is 1024-65535 bytes. Type the extension channel threshold percentage, which if exceeded, disables transmissions on the extension channel (40 MHz). Click an aggregate MPDU mode: Enabled or Disabled. Aggregate MPDU provides a signicant improvement in throughput. Click an aggregate MSDU mode: Enabled or Disabled. Aggregate MSDU increases the maximum frame transmission size. Type the maximum number of sub-frames of the aggregate MPDU. The value range is 2-64. Protection Mode Protection Type Extension Channel Busy Threshold Aggregate MSDUs Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames ADDBA Support LDPC Click an ADDBA support mode: Enabled or Disabled. ADDBA, or block acknowledgement, provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate MPDU is enable. Click an LDPC mode: Enabled or Disabled. LDPC increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. ExtremeWireless V10.41.06 User Guide 155 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description STBC TxBF Click an STBC mode: Enabled or Disabled. STBC is a simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1

(two spatial streams combine into one spatial stream). TXBF will override STBC if both are enabled for single stream rates. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. Click a TXBF mode: For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1 and valid values are MU-

MIMO and Disabled. Conguring Wireless AP Properties D Wireless APs are added with default settings, which you can adjust and congure according to your network requirements. In addition, you can modify the properties and the settings for each radio on the AP. Conguring AP settings can include the following processes:

Modifying the Status of a Wireless AP on page 156 AP Properties Tab Conguration on page 159 Setting Up the Wireless AP Using Static Conguration on page 199 You can also locate and select APs in specic registration states to modify their settings. For example, this feature is useful when approving pending APs when there are a large number of other APs that are already registered. On the AAccess Approval screen, click Pending to select all pending APs, then click Approve to approve all selected APs. raft If during the discovery process, the controller security mode was Allow only approved Wireless APs to connect, then the status of the AP is Pending. Modify the security mode to Allow all Wireless APs to connect. When conguring APs, you can choose to congure individual APs or simultaneously congure a group of APs. For more information, see AP Multi-Edit Properties on page 111 . Modifying the Status of a Wireless AP Related Links Security Mode on page 124 AP Rehoming on page 156 AP Actions on page 128 AP Rehoming You can balance your AP deployment by switching an AP from local to foreign (and from foreign to local). The AP will continue providing service without interruption while the APs are redeployed. If the availability link is down, the conversion will be completed when the link is established. ExtremeWireless V10.41.06 User Guide 156 Conguring the ExtremeWireless APs The rehomed AP will establish an active tunnel to the new controller and radio conguration is preserved once conversion is complete. WLAN assignments are not affected by rehoming. WDS and Mesh APs cannot be converted from local to foreign. A rehomed AP will be removed from load balance groups. AP Dashboard ExtremeWireless offers a dashboard of statistical information for each AP in the network. The following information is displayed for each AP:

IP address. Supports both IPv4 and IPv6 addresses. IoT MAC. Mac address for the Internet of Things enablement. Displays for AP3912 and AP3916 when D IoT is enabled. Model Number Software version running on the AP Country AP Role Number of 802.3 clients (AP3912) Camera IP (AP3916) Number of radios Channel number if applicable Channel Mode Power level raft AP properties for these access points display the IoT MAC address and channel and the TX Power Level for the BLE radio when the IoT is enabled. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. Figure 28: AP3916 Dashboard with IoT Enabled The dashboard displays a graphical representation over the last hour for the following:

Client count. Associated clients per radio Devices by Type classication Noise oor for both bands Channel utilization for both bands ExtremeWireless V10.41.06 User Guide 157 Conguring the ExtremeWireless APs ftFigure 29: AP Dashboard Displays the number of clients on each radio in 10-minute intervals. Use this information to gain visibility over time into AP utilization per radio. Details for the AP3912 and AP3916 show the number of 802.3 clients. These are clients that utilize the wired client ports that are available on these AP models. CClients Devices by Type Offers visibility into the type of devices connected to your network by percentage. Use this information to understand the BYOD usage on your network. Noise (dBm) ExtremeWireless V10.41.06 User Guide 158 Conguring the ExtremeWireless APs Tracks the noise level for each AP radio in 10-minute intervals. Use this information to understand channel performance over time. CChannel Utilization (%) Tracks the percentage of traffic on each radio. Use this information to understand channel usage over time, in 10-minute intervals. Click Congure to display conguration options for the AP. For more information, see AP Properties Tab Conguration on page 159. Related Links AP Properties Tab Conguration on page 159 Channel Inspector Report on page 637 AP Properties Tab Conguration D Use the AP Properties tab to view and congure basic AP properties. Some of the AP properties can be viewed and congured via the Advanced dialog. From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. For more information, see AP Dashboard on page 157. raft ExtremeWireless V10.41.06 User Guide 159 Conguring the ExtremeWireless APs 3 Click Congure. The AAP Properties tab displays. ft Related Links AP Dashboard on page 157 AP Properties Tab - Basic Settings on page 161 AP Properties Tab - Advanced Settings on page 164 Professional Install Settings on page 166 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Conguring IoT Applications on page 189 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for a Wireless AP on page 203 ExtremeWireless V10.41.06 User Guide 160 AP Properties Tab - Basic Settings FField Serial #

Host Name Name Conguring the ExtremeWireless APs Description Read-only. Displays a unique identier (serial number) that is assigned during the manufacturing process. Read-only. This value, which is based on AP Name, cannot be directly edited. This value depicts the AP Host-Name value. If the AP Name value does begin with a number, for example when it is the AP serial number, the AP model is prepended to the value. This value is used for tracking purposes on the DHCP server. The default value of the AP Name is the serial number, but it can be modied to any desired AP Name. Supported characters include:

alphanumeric, blank space, hyphen, underscore, and period. Up to 255 characters. Location D Dene the location of the AP. When a client roams to an AP with a different location, Area Notication is triggered. The Area Notication feature is designed to track client locations within pre-dened areas using either the Location Engine (for more information, see Conguring the Location Engine on page 609) or the AP Location eld. When the clients change areas, a notication is sent. Location functionality on the AP is useful when access to Extreme Management Center OneView is not available. Zone is a label that can be sent to a RADIUS server in place of an AP BSSID in the called-station-id attribute. It can be easier to base authorization decisions on the zone label rather than on the BSSID. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. raft Select Indoor or Outdoor. This property is available for outdoor APs only, indicating where the AP is deployed. The Outdoor APs can be deployed in both indoor and outdoor environments. AP placement should depend on the country of operation that is selected and the country regulatory domain requirements for radio emissions. For more information, see Outdoor Access Point Installation on page 167. Read only. The Topology name with which the AP is registered. Type comments for the AP. Zone Description Topology AP Environment ExtremeWireless V10.41.06 User Guide 161 FField Hardware Type Conguring the ExtremeWireless APs Description Select the hardware model of this AP from the drop-down menu. With ExtremeWireless v10.01 each controller is licensed in a specic domain. There are three types of domain licenses: FCC, ROW, EGY, and MNT. The ExtremeWireless user interface reects the domain of the controller. The following are use cases for each domain:

A wireless controller with an FCC license can manage AP37xx, AP38xx, and AP39xx-FCC. These access points can be deployed in the United States, Puerto Rico, or Colombia. A wireless controller with a ROW license can manage AP37xx, AP38xx, and AP39xx-ROW. These access points can be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. A wireless controller with a MNT license can manage only domain-

locked access points, which are the AP39xx-FCC and the AP39xx-

ROW only. The AP39xx-FCC must be deployed in the United States, Puerto Rico, or Colombia. The AP39xx-ROW must be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. D Application Version Status Active Clients AP38xx, and AP39xx-EGY. Displays the ExtremeWireless release version. A wireless controller with a EGY license can manage AP37xx, Note: The AP37xx and AP38xx cannot connect to a controller licensed in the MNT domain. raft Approved Indicates that the AP has received its binding key from the controller after the discovery process. If no status is shown, that indicates that the AP has not yet successfully been approved for access with the secure controller. You can modify the status of an AP on the Access Approval screen. For more information, see Modifying the Status of a Wireless AP on page 156. Displays the number of wireless devices currently associated with the AP. ExtremeWireless V10.41.06 User Guide 162 Conguring the ExtremeWireless APs FField Role Description Displays the role for the AP. Note: You can only view these options here. You cannot change them. D Country Related Links AP Properties Tab - Advanced Settings on page 164 Options include:

Traffic Forwarding Normal Operation. Applies to all APs. Guardian Once the AP is congured as a Guardian, the AP stops forwarding traffic and dedicates both radios to threat detection and countermeasures. For more information, see Conguring an AP as a Guardian on page 221. The AP can be congured in one of three sub-modes:

Out-of-Service with its radios off Providing full bridging functionality without RADAR Providing full bridging functionality and In-Service RADAR. For more information, see Conguring a Guardian Scan Prole on page 577. Click the country of operation. AirDefense Sensor AP39xx integration with the AirDefense Services Platform (ADSP). Alternative to the Guardian AP conguration. For more information, see Conguring an AirDefense Prole on page 568. Note: The antenna you select determines the available channel list and the maximum transmitting power for the country in which the AP is deployed. raft ExtremeWireless V10.41.06 User Guide 163 Conguring the ExtremeWireless APs AP Properties Tab - Advanced Settings FField Poll Timeout Secure Tunnel D Description Type the timeout value, in seconds. The AP uses this value to trigger re-

establishing the link with the Controller if the AP does not get an answer to its polling. The default value is 10 seconds. Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 545. This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:

Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is Note: This option is not available for AP3805 models. established from the AP to the controller and all SFTP/SSH/TFTP/

WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/

WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. raft controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. Available when Secure Tunnel is enabled. Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Debug mode An IPSEC tunnel is established from the AP to the Click to enable or disable SSH for access to the AP. Secure Tunnel Lifetime Enable SSH Access Enable location-based-service Enable or disable the AeroScout, Ekahau, or Centrak location-based service for the AP. Maintain client session in event of poll failure Select this option (if using a bridged at AP VNS) if the AP should remain active if a link loss with the controller occurs. This option is enabled by default. Restart service in the absence of controller Select this option (if using a bridged at AP VNS) to ensure the APs radios continue providing service if the APs connection to the controller is lost. If this option is enabled, it allows the AP to start a bridged at AP VNS even in the absence of a controller. ExtremeWireless V10.41.06 User Guide 164 Conguring the ExtremeWireless APs FField Description Use broadcast for disassociation Enable LLDP D Maintenance Guide. Announcement Interval Select this option if you want the AP to use broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This affects the behavior of the AP under the following conditions:

If the AP is preparing to reboot or to enter one of the special modes

(DRM initial channel selection). If a BSSID is deactivated or removed on the AP. This option is disabled by default. Click to enable or disable the AP from broadcasting LLDP information. This option is disabled by default. If SNMP is enabled on the controller and you enable LLDP, the LLDP Conrmation dialog is displayed. Select one of the following:

Proceed (not recommended) Select this option to enable LLDP and keep SNMP running, and then click OK. Disable SNMP publishing, and proceed Select this option to enable LLDP and disable SNMP, and then click OK. For more information on enabling SNMP, see the ExtremeWireless Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value. If LLDP is enabled, type how often the AP advertises its information by sending a new LLDP packet. This value is measured in seconds. If there are no changes to the AP conguration that impact the LLDP information, the AP sends a new LLDP packet according to this schedule. raft If LLDP is enabled, type the announcement delay. This value is measured in seconds. If a change to the AP conguration occurs which impacts the LLDP information, the AP sends an updated LLDP packet. The announcement delay is the length of time that delays the new packet delivery. The announcement delay helps minimize LLDP packet traffic. Click to Enable or Disable IP Multicast Assembly on this Wireless AP. If Enabled, the IP Multicast Assembly feature assembles multicast data packets that were too large to t the MTU size of the tunnel and were fragmented in order to t the tunnel header. This feature is disabled by default. When enabled, this setting avoids channel overlap by shrinking channels, when ACS detects an overlapping BSS. Before a radio provides service, it performs an overlapping BSS coexistence scan to ensure that the radio's channel will not overlap with a nearby operating AP's secondary channels. This behavior is in accordance with the 802.11 standard and provides data to the Channel Inspector Report. If the channel width is set to 40 or 80 MHz and an overlap is detected, ACS shrinks the channel to 20 or 40MHz to avoid the overlap. When this setting is disabled, the radio starts the service in spite of the overlap. By default, this option is enabled for newly deployed APs and is disabled for existing AP deployments, ensuring backward compatibility with previous ExtremeWireless releases. Announcement Delay IP Multicast Assembly Active OBSS channel width adjustment Balanced Channel List Power This simplies power settings such that they will function across all channels in the channel plan. ExtremeWireless V10.41.06 User Guide 165 Conguring the ExtremeWireless APs FField Description Low Power Mode Override Check this box to have AP ALWAYS operate in 4x4 mode regardless of what was negotiated with the Switch PoE. When this option is cleared, the AP operates in 2x2 or 4x4 depending on what was negotiated with the Switch PoE using the 2-event classication. AP sends Power Status element with "Power Mode" set to 0 when "Low Power Mode Override" is enabled. AP sends Critical Log "entering Low Power mode" only if negotiated .af with Switch PoE and "Low Power Mode Override" is disabled. Otherwise, Critical Log is not sent. Controller "Network Health" shows only APs that have "Power Mode"

bit in the Power Status set to 1. The default conguration for the 39xx AP is disabled. LED Real Capture D Select the desired LED pattern from the drop-down list. Options include:

Off, WDS Signal Strength, Identify, and Normal. Click Start to start real capture server on the AP. Default capture server timeout is set to 300 seconds and the maximum congurable timeout is 1 hour. While the capture session is active, the AP interface operates in promiscuous mode. From the Wireshark GUI, set the capture interface to the IP address of the selected AP, and select null authentication. Once Wireshark connects to the AP, the AP's interfaces are listed as available to capture traffic. eth0 is the wired interface, wlan0 is the 5Ghz interface, and wlan1 is the 2.4Ghz interface. You can capture bidirectional traffic on eth0, wi0, and wi1. The capture on wi0 and wi1 does not include internally generated hardware packets by the capturing AP. The capturing AP does not report its own Beacons, Retransmission, Ack and 11n Block Ack. If this information is needed, perform Real Capture from a second AP that is close by. Make sure both APs are on the same wireless channel. Broadcast an SSID to activate the radios, but do not broadcast the SSID of the AP you are troubleshooting. You do not want the clients to connect to the second capturing AP. Capture statistics are found on the Active Wireless APs report (see Viewing Statistics for APs on page 627). raft Related Links AP Properties Tab - Basic Settings on page 161 Professional Install Settings The Professional Install option is only available for AP models with external antennas. The elds and corresponding antenna value options that appear on the PProfessional Install dialog depend on the selected AP and the antenna models that are available. Select an antenna for each available port. By default, the two antennas must be identical. However, you have the option to select No Antenna for the second antenna port. The AP3915e and AP3917e access point models offer an external IoT antenna. Select the antenna model from the drop-down eld. Choose the desired attenuation for each radio from the drop-down list. Selectable range is from 0 to 30 dBI. ExtremeWireless V10.41.06 User Guide 166 Conguring the ExtremeWireless APs Figure 30: Professional Install dialog AP3917 D Outdoor Access Point Installation an outdoor installation. When a transmitter is placed indoors and the antenna is oriented to intentionally radiate outdoors, The FCC regulations for the indoor and outdoor installation are different. The professional installer must congure the access point transmitters accordingly. Products that are specically intended to be placed outdoors are congured at the factory for compliant outdoor operation. Professional installers should review the following to assess the legality of outdoor deployments:

When a transmitter is placed indoors but the antenna is placed outdoors, the FCC interprets this as raft Antenna gain is the ratio of an antenna's radiation intensity in a given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation gain is dened as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is congured, the transmit (TX) power calculations maximize the allowable TX power for an elevation below 30 degree. When the transmitter is placed on a loading dock or inside a covered stadium with a retractable cover, the FCC views this as an outdoor installation. the FCC interprets this as an outdoor installation. Antenna Gain Access Points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees above the horizon. For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the access point, refer to the Antenna Guide for Elevation Gain information. If using a third-party antenna, you must obtain the antenna-elevation gain information from the antenna manufacturer. The elevation gain should be congured if the access point:

Is deployed outdoors, and ExtremeWireless V10.41.06 User Guide 1167 Conguring the ExtremeWireless APs Is used with a dipole antenna (Panel antennas and polarized antennas are for point to point only and are excluded from this requirement.) and Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band. Professional installers must complete the following steps to ensure compliance with the FCC rule:

NNote ExtremeWireless determines the antenna peak gain and elevation gain based on the user congured settings. 1 Congure the antenna type from the PProfessional Install dialog. 2 Congure the antenna placement from the AP Environment eld on the AAP Properties tab. 3 Congure the Country eld on the AAP Properties tab. Related Links Assigning Wireless AP Radios to a VNS AP Properties Tab - Basic Settings on page 161 Professional Install Settings on page 166 Outdoor Access Point Installation on page 167 The rmware uses this information with hardcoded maximum limits (that are determined during testing) to limit the EIRP below 21dBm for outdoor use in UNII-1 band. For information on specic antennas, refer to the ExtremeWireless External Antenna with Wave 2. D The following describe methods of assigning AP radios to a VNS:

VNS conguration When a VNS is congured, you can assign AP radios to the VNS through its associated WLAN Service. For more information, see Conguring WLAN Services on page 318. raft Note To congure foreign AP radios to a VNS, use the VNS conguration method. Foreign APs are listed and available only for VNS assignment from the WLAN Services tab. For more information, see Conguring a VNS on page 390. AP Multi-edit When you congure multiple APs simultaneously, use the AP Multi-edit feature. For Wireless AP conguration When you congure an individual AP, assign its radios to a specic more information, see AP Multi-Edit Properties on page 111 . WLAN Service. To assign wireless AP radios when conguring an AP:

From the top menu, click AP. 1 2 Click the appropriate AP in the list (not the check box). The AAP Details dialog is displayed. 3 Click Congure. The AAP Properties tab is displayed. ExtremeWireless V10.41.06 User Guide 168 Conguring the ExtremeWireless APs 4 Click the WWLAN Assignment tab. ft Note Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. 5 In the Radio 1 and Radio 2 columns, select the radio check box that you want to assign for each WLAN Service. 6 To save your changes, click Apply. Related Links Assigning WLAN Services to Client Ports on page 170 AP Properties Tab Conguration on page 159 Conguration Parameters for Radio Properties on page 180 Setting Up 802.1x Authentication for a Wireless AP on page 203 ExtremeWireless V10.41.06 User Guide 169 Conguring the ExtremeWireless APs AP Multi-Edit Properties on page 111 Conguring Airtime Fairness: Reservation Mode on page 406 NEW! Assigning WLAN Services to Client Ports When conguring client ports on access point models AP391x that offer client ports, you can assign one or more client ports to a single WLAN service. Client ports offer 802.1x authentication and policy support. NNote Network access for the AP3916ic camera function is controlled through policy denition, assigned as a the CAM port. The camera port on the AP3916 is treated as a wired client port. From the top menu, click AP. 1 2 Select a specic AP. D AP as a border gateway router. The AAP Properties dialog appears. 3 Click Congure. 4 Select the WWLAN Assignment tab. 5 Select one or more client ports for each WLAN Service. Port options depend on the AP model you select:

AP3912 supports wired client ports 1-3. AP3916ic supports the wired CAM port for a camera. AP3917i/e supports 1 client port. Additionally, all the AP391x models, including AP3915i/e, support IoT Thread Gateway using the raft The wired ports for the AP391x default to auto-negotiation for speed and mode. To congure xed speed and mode values (for instance, 100Mbps and Full Duplex), select the SStatic Conguration tab and select the speed and mode settings for the Ethernet port and each client port. Congure the values that the client hardware supports. All Port Assignments:

One WLAN can be assigned per port. The assignment enables the port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. ExtremeWireless V10.41.06 User Guide 170 Conguring the ExtremeWireless APs ftFigure 31: Port Conguration for AP3912 Wired Ports CCAM Port Assignments:

The topology associated with the role that is assigned to the CAM port (either through WLAN assignment or through device MBA authentication) must be congured to allow ONVIF camera discovery and video streaming. Congure the default topology to explicitly allow multicast bridging of WS-Discovery group (239.255.255.0). When the camera port is unassigned, it is disabled, and the camera is disconnected from the network and turned off. One policy denition for wired and wireless users. Users on wired ports can receive the same default policy. However, the camera function (CAM) can be assigned a specic device policy to separate user service and video surveillance networks. The camera function can be assigned to B@AP and B@AC topologies and Mac Based Authentication for dynamic policies. ExtremeWireless V10.41.06 User Guide 171 Conguring the ExtremeWireless APs Congure MAC authentication (MBA) for network attached devices or collect device metrics through RADIUS accounting from the AAuth&Acct tab. WLAN SSID, Privacy, and QoS settings are not relevant for the camera functionality. Captive Portal and 802.1x are not supported on the CAM port. Note Bind the WLAN Service to the VNS to activate service. aft Figure 32: WLAN Services Port Assignment ExtremeWireless V10.41.06 User Guide 172 Conguring the ExtremeWireless APs D Figure 33: Assigning Ports to WLAN Service on the AP3912 raft Figure 34: Assigning the Camera Port to WLAN Service on the AP3916ic ExtremeWireless V10.41.06 User Guide 1173 Conguring the ExtremeWireless APs Dynamic Radio Management (DRM) Conguring Wireless AP Radio Properties D RRelated Links Figure 35: Assigning the IoT Port to WLAN Service on the AP3915 Conguring IoT Applications on page 189 Setting Up the Wireless AP Using Static Conguration on page 199 Conguring Common Conguration Default AP Settings on page 135 raft Wireless AP radio properties can vary depending on the model of the AP being congured. For specic information on modifying a wireless 802.11n AP, see Modifying 11n and 11ac Wireless AP Radio Properties on page 178. Consider the following deployment methodologies:

Plan the wireless RF deployment using various site survey methodologies including the ExtremeCloud RF planner. Congure each APs channel width and channel according to the RF plan. Use the DRM automatic tool to congure the deployed APs channel width and channel according to the channel plan. Use DRM Auto Channel Selection (ACS) to automatically assign the APs to appropriate channels and channel width. Use Auto Tx Power Control (ATPC) to set transmit power and let the AP dynamically adapt transmit power. Use Dynamic Channel Selection (DCS) to monitor channel occupancy around the APs and optionally allow the AP to dynamically adapt the channel. ExtremeWireless V10.41.06 User Guide 174 Use the Dynamic Radio Management (DRM) controller function to establish the optimum radio conguration for your APs. Conguring the ExtremeWireless APs The controllers DRM functionality:

Adjusts transmit power levels to balance coverage between APs assigned to the same RF domain and operating on the same channel. Triggers ACS for all selected APs in the deployment, simultaneously. The APs determine the deployment density and the optimal channel width for the selected group. Density deployment is based on the following factors:

The number of channels congured in the channel list The number of APs that have to be set up The number of detected APs that do not belong to the deployment. Each AP is set to the best available channel. The channel inspector displays the RF environment seen by each AP. Use the Channel Inspector Report to understand why an AP selects a channel and, if necessary, to make manual adjustments. D AP39xx and AP38xx perform overlapping BSS (OBSS) scan every time the radio is restarted. This scan results are used as follows:

Channel inspector is always updated with the latest RF environment seen by the AP. If the channel width is set to 40MHz or 80MHz and the AP property Active OBSS channel width adjustment is enabled, the AP shrinks its channel to avoid overlapping with other APs detected in the area. (An OBSS overlap occurs when a primary channel and a secondary channel overlap.) After the interfering AP is shut down and the APs radio is reset, the channel width returns to 40MHz or 80MHz. NNote When setting a xed channel width to 40 MHz or 80 MHz, the Active OBSS channel width adjustment setting must be disabled. This setting is disabled by default for existing APs in order to maintain existing behavior and the existing channel plan. For APs that are newly added to the network, this setting is enabled by default. raft When a RADAR event is detected, the channel is marked and the AP selects a new channel from the allowed channel list. After 30 minutes, if there are no clients associated with the AP, the AP returns to the original channel. If there are associated clients, the AP tries to return to the original channel every ve minutes until there are no clients associated with the radio. AP39xx and AP38xx return to original channel after a RADAR event in order to restore original The DRM feature consists of three functions:

channel plan. Auto Channel Selection (ACS) ACS provides an easy way to optimize channel arrangement based on the current situation in the eld. An optimal solution is provided only if ACS is triggered on all APs in a deployment, or all APs placed in a distinct area like a oor. ACS forces the channel width selection of the involved APs to Auto width. The ACS algorithm selects the optimal channel width for all the selected APs and places each AP on the best channel available in its area. Use the Channel Inspector Report to visualize why the AP was placed on the selected channel. Triggering ACS on a single AP or on a subset of APs can be useful but it is not an optimal solution. The ACS algorithm places the selected APs as best it can considering the channels occupied by other ExtremeWireless V10.41.06 User Guide 175 Conguring the ExtremeWireless APs operating APs. ACS relies on the RF channel information observed at the time it is triggered. Once an AP has selected a channel, it remains operating on that channel until you change the channel or trigger ACS again. ACS can be triggered by one of the following events:

A new AP registers with the controller and the AP Default Settings channel is Auto. A user selects Auto from the Request New Channel drop-down list on the Wireless APs radio conguration tabs. A user selects Auto from the Channel drop-down list on the AAP Multi-edit screen. If Dynamic Channel Selection (DCS) is enabled in active mode and a DCS threshold is exceeded. A Wireless AP detects radar on its current operating channel and it employs ACS to select a new radar free channel. The AP returns to the original channel under the following condition:

A 30-minute Non-Occupancy timer expired per the DFS standard. The AP does not disrupt service to any clients. Channel Plan The ACS algorithm selects channels from the congured channel plan. You can Multi-Edit The best way to trigger ACS between multiple APs is to use the AP Multi Edit option. D You can initiate ACS from the Channel Inspector Report. ACS is triggered for Site deployments or Cloud deployments by sending the ACS command to one of the member APs, which will distribute the ACS command to all other member APs. Each Site is considered an RF domain. dene the channel plan for each AP or accept the default plan. It is recommended that all APs in a deployment have identical channel plans. Dening a channel plan allows you to limit the available channels for use during an ACS scan. For example, you may want to avoid using specic channels because of allowed power limits on that channel or regulatory domain, or avoid DFS channel RADAR interference. raft First, select Radio 1 or Radio 2 actions, and then select Auto Channel Select. APs that congure ACS together, must all be part of the same RF domain. Therefore, set the RF Domain before ACS is started. ACS between multiple APs must start at the same time. DCS allows a Wireless AP to monitor RF channel conditions and noise levels on the channel on which the AP is currently operating. DCS can operate in the following modes:

Monitor When DCS is enabled in monitor mode the AP monitors channel occupancy and traffic or noise levels on the channel on which the AP is currently operating. The DCS monitor alarm and generated stats can be used to evaluate the RF environment of your deployed APs. Active When DCS is enabled in active mode and channel occupancy traffic or noise levels exceed the congured DCS thresholds, ACS is triggered to move the AP from a busy / noisy channel to the best available channel. Also, an alarm is triggered and an information log is generated. Dynamic Channel Selection (DCS) Note If DCS is enabled, DCS statistics can be viewed in the Wireless Statistics by Wireless APs display. For more information, see Working with Reports and Statistics on page 621. Related Links AP Properties Tab - Advanced Settings on page 164 Use Cases for Dynamic Radio Management on page 178 Conguration Parameters for Radio Properties on page 180 ExtremeWireless V10.41.06 User Guide 176 Conguring the ExtremeWireless APs AP Multi-Edit Properties on page 111 Radio Advanced Properties on page 184 Channel Inspector Report on page 637 ATPC The purpose of ATPC is to automatically adjust the coverage cell around an AP. During initial deployment, the Tx Power of each AP is adjusted to provide coverage without overlapping the coverage cell of a neighboring AP. To maintain optimal performance, it is important to maintain a small cell sizes to encourage WLAN clients to roam to the closest AP and operate at high data rates. This practice frees the channel as fast as possible and reduces congestion. Setting the AP transmit power too high can cause interference and potentially exceed useful bounds. Setting the AP transmit power too low may introduce coverage gaps in the installation. D When all APs are operating, the cells size of each AP is adjusted to cover the surrounding area. If one AP fails, the APs around it increase their Tx Power, increasing the cell size, and compensating for the loss of the failed AP. If an RF obstructing object is moved between the APs, the APs increase Tx Power in order to maintain coverage. ATPC operates over a group of APs congured to participate in the same RF domain. Congure the RF Domain parameter as a unique string across all the APs that provide service coverage, ensuring that cell shaping is not inuenced by non-participating APs. ATPC operates by periodically broadcasting custom probe requests that allow the other APs in range to determinate the RF Distance / Path Loss to the sending AP. Every 10 seconds, each AP evaluates the Path Loss to its neighbors. If Path Loss is less then 70dB, the AP reduces its Tx Power. If the Path Loss is more than 70dB, the AP boosts its Tx Power. raft The ATPC feature is congured for each radio. When you check Auto Tx Power Ctrl (ATPC) check box, you are enabling the radio to participate in the AP group that collaborates to automatically adjust the cell size. When ATPC is enabled, the following parameters are available for conguration:

Max Tx Power Min Tx Power Auto Tx Power Ctrl Adj The Max and Min Tx Power parameters set the power range used by the ATPC. The Auto Tx Power Ctrl Adj parameter allows you to manually adjust the Tx Power calculated by the ATPC algorithm (either up or down). The Current Tx Power Level eld on the AP / Radio page displays the actual AP Tx Power. ATPC preserving Power Setting In some cases operators may use ATPC to initially set up the power setting of the APs over a service area, but then want to freeze this setting during normal operation of the network. When the Auto Tx Power Ctrl (ATPC)check box is cleared you have two choices:

Maintain the ATPC-acquired Tx Power value after turning ATPC off. Set the Tx Power to the Max Tx Power value. The ATPC feature allows you to use ATPC to achieve a Tx Power level required for the installation, and then statically maintain this value if ATPC is turned off. RRelated Links ExtremeWireless V10.41.06 User Guide 177 Conguring the ExtremeWireless APs Conguration Parameters for Radio Properties on page 180 Use Cases for Dynamic Radio Management The following scenarios outline use cases for Dynamic Radio Management (DRM). UUsing ACS with a set of APs When you trigger ACS for a set of APs, the channel width is automatically set to Auto and ACS determines the deployment density and the desired channel width to minimize co-channel interference. A channel plan is created with non-overlapping cells, and each AP performs an overlapping BSS (OBSS) scan to avoid channel overlap. Manually Selecting Channels and Channel Width Modifying 11n and 11ac Wireless AP Radio Properties When you select a xed channel and channel width, the AP radio is set to the requested channel and width. The AP performs an overlapping BSS (OBSS) scan and sends the results to the Channel Inspector. If the setting Active OBSS channel width adjustment is not enabled, the radio uses the manually selected channel and width, and the detected overlap is not remedied automatically. D If Active OBSS channel width adjustment is enabled, the detected overlap is corrected by shrinking the channel width before the radio is enabled. The channel width can recover after a subsequent radio reset if the OBSS scan does not detect another channel overlap. raft Channel bonding improves the effective throughput of the wireless LAN. In contrast to legacy APs which use radio channel spacings that are only 20 MHz wide, 11n wireless APs can use two channels at the same time to create a 40 MHz wide channel. 11ac wireless APs can use four channels at the same time to create an 80 MHz wide channel. The ExtremeWireless 37xx/W78xC series are 802.11n-compliant access points. AP38xx and AP39xx series are 11n and 11ac-compliant. This section describes how to congure/modify properties of an 11n or 11ac AP. The 40 MHz channel width is achieved by bonding the primary channel (20 MHz) with an extension channel. Channel Bonding Channel bonding is predened on both Radio 1 and Radio 2. Channel bonding is enabled by selecting the Channel Width on the Radio tabs. When selecting Channel Width, the following options are available:

20 MHz Channel bonding is not enabled:

802.11n clients use the primary channel (20 MHz) Non-802.11n clients, as well as beacons and multicasts, use the 802.11a/b/g radio protocols. 40 MHz Channel bonding is enabled:

802.11n clients that support the 40 MHz channel width can use 40 MHz, 20 MHz, or the 802.11a/b/g radio protocols. ExtremeWireless V10.41.06 User Guide 178 Conguring the ExtremeWireless APs 802.11n clients that do not support the 40 MHz channel width can use 20 MHz or the 802.11a/b/g radio protocols. Non-802.11n clients, beacons, and multicasts use the 802.11a/b/g radio protocols. 80 MHz Channel bonding is enabled:

802.11ac clients that support the 80 MHz channel width can use 80 MHz, 40 MHz, 20 MHz, or the 802.11a/b/g radio protocols. 802.11n clients that do not support the 80 MHz channel width can use 20 MHz, 40 MHz, or the 802.11a/b/g radio protocols. Non-802.11n clients, beacons, and multicasts use the 802.11a/b/g radio protocols. Auto Channel bonding is automatically enabled or disabled, switching between 20 MHz, 40 MHz, and 80 MHz, depending on how busy the extension channel(s) are. If the extension channel is busy above a prescribed threshold percentage, which is dened in the 40 MHz Channel Busy Threshold box, channel bonding is disabled. Aggregate MSDU and MPDU Channel Selection Primary and Extension D Guard Interval The primary channel of the wireless 802.11n AP is selected from the Request New Channel drop-down list. If auto is selected, the ACS feature selects the primary channel. The channels in the Request New Channel drop-down list show which extension channel(s) are being used for bonding. The guard intervals ensure that individual transmissions do not interfere with one another. The wireless 802.11n AP provides a shorter guard interval that increases the channel throughput. You can select the guard interval to improve the channel efficiency. The guard interval is selected from the Guard Interval drop-down list. Longer guard periods reduce the channel efficiency. raft The wireless 802.11n AP provides aggregate Mac Service Data Unit (MSDU) and aggregate Mac Protocol Data Unit (MPDU) functions, which combine multiple frames together into one larger frame for a single delivery. This aggregation reduces the overhead of the transmission and results in increased throughput. The aggregate methods are enabled and dened selected from the Aggregate MSDUs and Aggregate MPDUs drop-down lists. Wireless APs have differing numbers of antennas, internal or external, depending on the AP model. Wireless APs by default transmit on all antennas. Depending on your deployment requirements, you can congure the AP to transmit on specic antennas. You can congure the wireless 802.11ac AP to transmit on specic antennas for both radios, including all the available modes:

Radio 1 a/n/ac, ac-strict modes Radio 2 b/g, g/n, b/g/n, n-strict modes Antenna Selection When you congure the AP to use specic antennas, the following occurs:

Transmission power is recalculated The Current Tx Power Level value for the radio is automatically adjusted to reect the recent antenna conguration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reected in the Wireless Assistant. ExtremeWireless V10.41.06 User Guide 1179 Conguring the ExtremeWireless APs Radio is reset The radio is reset causing client connections on this radio to be lost. TTo modify wireless AP radio properties:

From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the Radio tab you want to modify. Conguration Parameters for Radio Properties Table 15: Radio Properties Field Description BSS Info D Base Settings Admin Mode Radio Mode - Radio 1 Select On to enable the radio; select Off to disable the radio. BSS Info is read-only. After WLAN Service conguration, the Basic Service Set (BSS) section displays the MAC address on the AP for each WLAN Service and the SSIDs of the WLAN Services to which this radio has been assigned. Click one of the following radio options for Radio 1:

a Click to enable the 802.11a mode of Radio 1 without 802.11n Note: Depending on the radio modes you select, some of the radio settings may not be available for conguration. The AP hardware version dictates the available radio modes. raft n-strict Click to enable the 802.11a mode of Radio 1 with 802.11n a/n Click to enable the 802.11a mode of Radio 1 with 802.11n ac-strict Click to enable the 802.11ac mode of Radio 1 with a/n/ac Click to enable the 802.11ac mode of Radio 1 with 802.ac strict capability. 802.11ac capability. strict capability. capability. capability. ExtremeWireless V10.41.06 User Guide 180 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Radio Mode - Radio 2 Note: Depending on the radio modes you select, some of the radio settings may not be available for conguration. Click one of the following radio options for Radio 2:

b Click to enable the 802.11b-only mode of Radio 2. If selected, the AP uses only 11b (CCK) rates with all associated clients. g Click to enable the 802.11g-only mode of Radio 2. b/g Click to enable both the 802.11g mode and the 802.11b mode of Radio 2. If selected, the AP uses 11b (CCK) and 11g-specic

(OFDM) rates with all of the associated clients and will not transmit or receive 11n rates. g/n Click to enable both the 802.11g mode and the 802.11nb mode of Radio 2. If selected, the AP uses 11n and 11g-specic

(OFDM) rates with all of the associated clients. The AP will not transmit or receive 11b rates. D Basic Radio Settings AP uses all available 11b, 11g, and 11n rates. n-strict Click to enable the 802.11n-strict mode of Radio 2. If b/g/n Click to enable b/g/n modes of Radio 2. If selected, the selected, the AP can be congured to use 11n-strict rates with all of the associated clients. With n-strict mode enabled, the AP does not transmit or receive 11b or 11g rates. raft Type a string that uniquely identies a group of APs that cooperate in managing RF channels and transmission power levels. The maximum length of the string is 16 characters. The RF Domain is used to identify a group of APs. The RF Domain feature is part of the Auto Tx Power Control (ATPC) feature (for more information, see Conguring Wireless AP Radio Properties on page 174). Read-only. The actual channel the ACS has assigned to the AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the AP, ensuring that a APs radio is always operating on the best available channel. Read-only. The last wireless channel that you had selected to communicate with the wireless devices. Click the wireless channel you want the wireless AP to use to communicate with wireless devices. Weather channels (116, 120, 124, 128) are supported for European compliance. See Channel Plan. Click Auto to request the ACS to search for a new channel for the AP, using a channel selection algorithm. This forces the AP to go through the auto-channel selection process again. RF Domain Current Channel Last Requested Channel Request New Channel Note: ACS in the 2.4 GHz radio band with 40 MHz channels is not recommended due to severe co-channel interference. Depending on the regulatory domain (based on country), some channels may be restricted. The default value is based on North America. For more information, refer to the appropriate AP Installation Guide. ExtremeWireless V10.41.06 User Guide 181 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Auto Tx Power Ctrl (ATPC) Click to either enable or disable ATPC from the Auto Tx Power Ctrl drop-down list. ATPC automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your Wireless APs. Note: When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm will adjust the AP power between Max Tx power and Min Tx Power. When disabled, the Max Tx Power selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Max Tx Power Current Tx Power Level D The actual Tx power level used by the AP radio. Note: If Auto Tx Power Ctrl (ATPC) is disabled, the selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Displays dynamic power level based on channel selected. Select the Max TX Power from the drop-down list. The values in the Max TX Power drop-down are in dBm and will vary by AP. The values are governed by compliance requirements based on the country, radio, and antenna selected. Changing this value below the current Min Tx Power value will change the Min Tx Power to a level lower than the selected Max TX Power. If ATPC is enabled, select the minimum Tx power level that is equal or lower than the maximum Tx power level. Extreme Networks recommends that you use 0 dBm if you do not want to limit the potential Tx power level range that can be used. raft The Auto Tx Power Ctrl Adj parameter is a correction parameter that allows you to manually adjust (up or down) the Tx Power calculated by the ATPC algorithm. If ATPC is enabled, click the Tx power level that can be used to adjust the ATPC power levels that the system has assigned. It is recommended that you use 0 dBm during the initial conguration. If you have an RF plan that recommends Tx power levels for each AP, compare the actual Tx power levels your system has assigned against the recommended values your RF plan has provided. Use the Auto Tx Power Ctrl Adjust value to achieve the recommended values. Valid range is from - (Max Tx Power - Min Tx Power) dB to

(Max Tx Power - Min Tx Power) dB. Note: The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Min Tx Power Auto Tx Power Ctrl Adjust ExtremeWireless V10.41.06 User Guide 182 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Channel Plan - Radio 1 If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:

All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-

DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:

3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 183 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Channel Plan - Radio 2 If ACS is enabled, you can dene a channel plan for the AP. Dening a channel plan allows you to limit which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. Click one of the following:

3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in most other parts of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in most other parts of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in most other parts of the world. Custom If you want to congure individual channels from which D View Related Links Radio Advanced Properties on page 184 Radio Actions on page 130 AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for a Wireless AP on page 203 the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. Click to open a new dialog that displays the selected Channel Plan for the antenna. raft Advanced Dialog - Base Settings Description Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. Radio Advanced Properties Table 16: Advanced Radio Properties Field DTIM period Beacon Period RTS/CTS Threshold Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the packet size threshold, in bytes, above which the packet is preceded by an RTS/CTS (Request to Send/Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. ExtremeWireless V10.41.06 User Guide 184 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Frag. Threshold Maximum Distance Type the fragment size threshold, in bytes, above which the packets are fragmented by the AP prior to transmission. The default value is 2346, which means all packets are sent unfragmented. Reduce this value only if necessary. Enter a value from 100 to 15,000 meters that identies the maximum link distance between APs that participate in a WDS. This value ensures that the acknowledgement of communication between APs does not exceed the timeout value predened by the 802.11 standard. The default value is 100 meters. If the link distance between APs is greater than 100 meters, congure the maximum distance up to 15,000 meters so that the software increases the timeout value proportionally with the distance between APs. Do not change the default setting for the radio that provides service to 802.11 clients only. D Dynamic Channel Selection Advanced Dialog - Basic Radio Settings To enable Dynamic Channel Selection, click one of the following:

Monitor Mode If enabled, a selection of DCS Interference Events appears in a separate dialog. If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. Active Mode If enabled, a selection of DCS Interference Events appears in a separate dialog. If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. In addition, the AP ceases operating on the current channel and ACS is employed to automatically select an alternate channel for the AP to operate on. raft Click the minimum data rate that must be supported by all stations in a BSS: 6, 12, or 24 Mbps and MCS0-MCS7 for n Radio (MCS0, 1 to MCS7,1 for a/n/c radio). If necessary, the Max Basic Rate choices adjust automatically to be higher or equal to the Min Basic Rate. Click to Enable Probe Suppression. Forced Disassociate Click to enable. RSS Threshold 90 (Range of -50 to -100). Applies to AP37xx, AP38xx, and AP39xx series APs. Advanced Dialog - Multicast Settings Enter the maximum percentage of time that the AP transmits non-

unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. By restricting non-

unicast traffic, you limit the impact of broadcasts and multicasts on overall system performance. Probe Suppression Min. Basic Rate Max % of non-unicast traffic per Beacon period Optimized for power save Click to optimize for power save. Adaptable rate Click to enable adaptable rate capabilities. Multicast to Unicast delivery Click to set the Multicast to Unicast delivery method from the drop-

down list. ExtremeWireless V10.41.06 User Guide 185 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Guard Interval Protection Mode Extension Channel Busy Threshold Advanced Dialog - 11n Settings Intended to eliminate interference between symbols during transmission. It is the space between the symbols being transmitted. Valid values are Long or Short. Enabling Short Guard Interval increases throughput, but can increase interference. Enabling Long Guard Interval can increase overhead due to additional idle time. Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection type, CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Aggregate MSDUs D Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames Click an aggregate MSDU mode: Enabled or Disabled. Aggregate MSDU increases the maximum frame transmission size. Click an aggregate MPDU mode: Enabled or Disabled. Aggregate MPDU provides a signicant improvement in throughput. Type the maximum number of sub-frames of the aggregate MPDU. The value range is 2-64. Type the maximum length of the aggregate MPDU. The value range is 1024-65535 bytes. For the 802.11ac radio (Radio 1 of the AP38xx), the range is 1024-1048575. raft Click an ADDBA support mode: Enabled or Disabled. ADDBA, or block acknowledgement, provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate APDU is enable. Click an STBC mode: Enabled or Disabled. STBC is a simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1

(two spatial streams combine into one spatial stream). TXBF overrides STBC if both are enabled for single stream rates. Click an LDPC mode: Enabled or Disabled. LDPC increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. Click a TXBF mode: For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1 and valid values are MU-

MIMO and Disabled. ADDBA Support LDPC STBC TXBF Preamble Advanced Dialog - 11b Settings Click a preamble type for 11b-specic (CCK) rates: Short or Long. Click Short if you are sure that there is no pre-11b AP or a client in the vicinity of this wireless AP. Click Long if compatibility with pre-11b clients is required. Advanced Dialog - 11g Settings ExtremeWireless V10.41.06 User Guide 186 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Protection Mode Protection Rate Protection Type Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection rate: 1, 2, 5.5, or 11 Mbps. The default and recommended setting is 11. Only reduce the rate if there are many 11b clients in the environment or if the deployment has areas with poor coverage. For example, rates lower than 11 Mbps are required to ensure coverage. D Click a protection type: CTS Only or RTS CTS. The default and recommended setting is CTS Only. Click RTS CTS only if an 11b AP that operates on the same channel is detected in the neighborhood, or if there are many 11b-only clients in the environment. The overall throughput is reduced when Protection Mode is enabled, due to the additional overhead caused by the RTS/

CTS. The overhead is minimized by setting Protection Type to CTS Only and Protection Rate to 11 Mbps. The overhead causes the overall throughput to be sometimes lower than if just 11b mode is used. If there are many 11b clients, it is recommended that you disable 11g support (11g clients are backward compatible with 11b APs). An alternate approach, although potentially a more expensive method, is to dedicate all APs on a channel for 11b (for example, disable 11g on these APs) and disable 11b on all other APs. The difficulty with this method is that the number of APs must be increased to ensure coverage separately for 11b and 11g clients. raft Note Some client devices choose a 2.4 GHz radio even when a 5 GHz high-speed radio network is available. You may need to force those client devices to use only 5 GHz if you have congured high throughput only on the 5 GHz radio. To achieve high throughput with the wireless APs, congure your system as described in this section. To achieve high throughput with a wireless AP:

From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. Achieving High Throughput with 11n and 11ac Wireless APs ExtremeWireless V10.41.06 User Guide 187 Conguring the ExtremeWireless APs 4 For Radio 2 congure the following:

In the Radio Mode drop-down list, click b/g/n. In the Channel Width drop-down list, click 40 MHz. Under Advanced Settings, in the Guard Interval drop-down list, click Short. In the 11g Settings section, click None in the Protection Mode drop-down list. NNote Do not disable 802.11g protection mode if you have 802.11b or 802.11g client devices using this AP. Instead, congure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2. If only 802.11n devices are present, disable 11n protection and 40 MHz protection:

Protection Mode Click None. D Protection Type Click CTS only or RTS CTS.DDDNote 5 Click the Radio 1 tab, and then do the following:

Aggregate MSDUs Click Enabled. Aggregate MPDUs Click Enabled. Aggregate MPDUs Max Length Click 65535 (for the 802.11ac AP models). Agg. MPDUs Max # of Sub-frames Type 64. ADDBA Support Click Enabled. Do not disable 802.11n protection mode if you have 802.11b or 802.11g client devices using this AP. Instead, congure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2. raft In the Admin Mode drop-down list, click the On option. In the Radio Mode drop-down list, click the a/n option for the AP3825, and click a/n/ac for the In the Guard Interval drop-down list, click Short. If only 802.11n devices are present, disable 11n protection and 40 MHz protection:

In the Channel Width drop-down list, click 40 MHz (for the AP3825 and for the AP3865 and Protection Mode Click None. Protection Type Click CTS only or RTS CTS. AP3865 and the 39xx series APs). 39xx series, click 80 MHz). Aggregate MSDUs Click Enabled. Aggregate MPDU Click Enabled. Aggregate MPDU Max Length Click Enabled. Agg. MPDU Max # of Sub-frames Type 64. ADDBA Support Click Enabled. 6 From the top menu, click VNS. 7 In the left pane select WLAN Services and select the WLAN service to congure. ExtremeWireless V10.41.06 User Guide 188 Conguring the ExtremeWireless APs 8 Click the Privacy tab. Some client devices do not use 802.11n mode if they are using WEP or TKIP for security. Do one of the following:

Select None. Select WPA-PSK, and then clear the WPA v.1 option:

Select WPA v.2. In the Encryption drop-down list, click AES only. NNote To achieve the strongest encryption protection for your VNS, it is recommended that you use WPA v.2. 9 Click the QoS tab. From the QoS tab, you can select WMM and Flexible Client Access (FCA) to get better throughput. NEW! Conguring IoT Applications Note For FCA, go to VNS > Global > Wireless QoS and set the Fairness Policy to 100% Airtime. D rates. Congure IoT support from the IIoT tab access point models AP391x 10 In the Wireless QoS section, select the WMM option. Some 802.11n client devices remain at legacy raft ExtremeWireless supports the following applications. Each supported AP can be congured for one application at a time. iBeacon AP is an Apple iBeacon. AP sends beacons in Apple iBeacon format. iBeacon Scan AP scans for Apple iBeacons, ltering beacons based on conguration parameters ExtremeWireless supports Real Time Location Systems (RTLS) on APs that offer integrated BLE/

802.15.4 radios for connectivity to Internet of Things (IoT) sensors and devices. The AP must be BLE enabled. Eddystone-url Beacon AP sends a compressed URL in a beacon for automatic presentation of a Eddystone-url Scan AP scans for Eddystone-url beacons, ltering beacons based on conguration website. Eddystone-url is supported by both iOS and Android 4.4 operating systems. and reports ndings to an Application Server. parameters and reports ndings to an Application Server. Thread Gateway AP is a gateway router to the Thread Network. Thread is a mesh networking protocol based on IEEE 802.15.4 for IoT devices. Related Links IoT iBeacon on page 190 IoT iBeacon Scan on page 191 Eddystone-url Beacon on page 193 Eddystone-url Scan on page 195 IoT Thread Gateway on page 196 ExtremeWireless V10.41.06 User Guide 189 Conguring the ExtremeWireless APs IoT iBeacon iBeacon is Apple's technology standard that allows mobile apps to identify a beacon position in the physical world. It delivers content based on the identied location. Extreme Wireless access point models AP391x support iBeacon. RRelated Links Conguring AP as an iBeacon on page 190 IoT iBeacon Scan on page 191 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 Conguring AP as an iBeacon With the iBeacon application, congure a supported AP as an iBeacon in an IoT network. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. D To congure iBeacon support from the IIoT tab:

From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select iBeacon. ra Figure 36: IoT Admin Tab iBeacon Application 6 Congure the following parameters:

ExtremeWireless V10.41.06 User Guide 190 Conguring the ExtremeWireless APs Table 17: IoT iBeacon Application Settings FField Description Application Advertise Interval UUID Major Minor Determines application type. Select iBeacon The advertising interval for the beacon application. Valid values are:

Min (100ms) and Max (10240ms). The default value is Min (100ms). Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Identies a subset of beacons within the larger set. This value could represent a venue specic attribute, such as a specic store or wing in a building. Valid values are 0 to 65635. Identies an individual beacon. Used to more precisely pinpoint beacon location. This value complements the UUID and Major values to provide more granular identication of a specic location, such as a particular shelf, door-way, or item. Valid values are 0 to 65635. IoT iBeacon Scan D Related Links IoT iBeacon on page 190 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 raft With iBeacon Scan, an AP scans for beacons, ltering data based on conguration parameters and reports ndings to an Application Server. ExtremeWireless forwards an iBeacon report as a JSON message to the customer's Application Server. The iBeacon report includes the following data:

AP serial number The MAC address of the iBeacon tag The RSSI The signal strength of the iBeacon tag The UUID of the iBeacon tag including Major and Minor values. The following lters can be applied at the AP to specify the message stream:

UUID. The Global Unique Identier. iBeacon messages with corresponding UUID are sent to the Minimum Received Signal Strength Indicator (RSSI). Transfers messages that meet the congured Application Server. All other UUID values are omitted. RSSI threshold. Messages received with an RSSI below the congured threshold are omitted. Refer to the Integration Guide for details on the format of the iBeacon RTLS message. The customer's Application Server handles the business logic and presentation of the IoT report. The Application Server:

Calculates the distance between the BLE tag and the AP, based on the signal strength for the tag/

radio channel Maps AP Serial Number to a physical location Tracks BLE tags. ExtremeWireless V10.41.06 User Guide 191 Conguring the ExtremeWireless APs From ExtremeWireless, congure iBeacon Scan parameters under AP conguration. RRelated Links Conguring iBeacon Scan on page 192 IoT Multi-Edit Conguration on page 129 Conguring IoT Applications on page 189 Conguring iBeacon Scan The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. To congure iBeacon Scan support from the IIoT tab:

From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select iBeacon Scan. D Figure 37: iBeacon Scan Application 6 Congure the following parameters:

ExtremeWireless V10.41.06 User Guide 192 Conguring the ExtremeWireless APs Table 18: iBeacon Scan Settings FField Description Application Destination IP Address Destination Port Scan Interval Scan Window Determines application type. Select iBeacon Scan IP address of the customer Application Server that receives the beacon report. Destination Port on the customer Application Server that presents the beacon report. Determines how long to wait between scans. Valid values are: Min

(100ms) and Max (10240ms). The default value is Min (100ms). Determines how long to scan per channel. Valid values are Min

(100ms) and Max (10240ms).Value must be less than Scan Interval value. Default value is 100ms. Related Links IoT iBeacon Scan on page 191 IoT Multi-Edit Conguration on page 129 UUID D Min RSSI Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Used for ltering data. ExtremeWireless forwards data with matching UUID to the Application Server and lters out all other UUID data. If UUID congured value is all zeros, no ltering occurs. This is the signal strength required to include the packet in the BLE report. Valid values: -10 to -100. Default value is -100. Data from beacons with an RSSI that is less than the Min RSSI congured value is ltered out. raft Eddystone-url is a Google technology standard that supports the physical web by providing a beacon-

delivered URL that offers content based on the identied location. Eddystone-url is supported by both iOS and Android 4.4 operating systems. An AP sends a beacon that includes a compressed URL. A mobile device app accepts the beacon, and the mobile user can access the URL that is provided in the beacon. This technology automatically presents websites to mobile users at the AP location. Possible use cases include:

Registration at a medical facility or school. Online payment at a parking garage. Detailed information about a museum exhibit. The beacon format is dened by a Google specication. Both the URL and the Advertising Interval are congurable parameters on the AP. Related Links Conguring AP as an Eddystone-url Beacon on page 194 ExtremeWireless V10.41.06 User Guide 193 NEW! Eddystone-url Beacon Conguring the ExtremeWireless APs Conguring AP as an Eddystone-url Beacon Congure an AP with integrated BLE radio as an Eddystone-url Beacon in an IoT network. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. To congure Eddystone-url Beacon support from the IIoT tab:

From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select Eddystone-url Beacon. D Figure 38: IoT Admin Tab Eddystone-url Beacon Application 6 Congure the following parameters:

Table 19: IoT Eddystone-url Beacon Application Settings Field Description raft The URL that is included with the Eddystone-url beacon. The URL is limited to 17 characters. The 17 characters does not include the protocol, but it does include the domain name. A secure protocol

(HTTPS address) is required. The URL is compressed, effectively allowing more than a 17-character input. See https://github.com/

google/eddystone/tree/master/eddystone-url for the Eddystone-url compression rules to more accurately judge the length of your URL. If necessary, also nd third-party URL Shortening Services available on the internet. Determines application type. Select Eddystone-url Beacon Application URL Advertise Interval The advertising interval for the beacon application. Valid values are:

Min (100ms) and Max (10240ms). The default value is Min (100ms). Related Links Eddystone-url Beacon on page 193 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 ExtremeWireless V10.41.06 User Guide 194 Conguring the ExtremeWireless APs NEW! Eddystone-url Scan BLE-enabled APs capture beacons and send them to a congured Application Server. Upon reception, the server application triggers possible actions such as updating statistics related to beacon location or communicating with a mobile device application. An AP scans for beacons, ltering data based on conguration parameters and reports ndings to an Application Server. ExtremeWireless forwards the report as a JSON message to the customer's Application Server. The report includes the following data:

AP Serial Number The MAC address of the beacon tag Decoded URL Device transmission power The signal strength of the iBeacon tag D The following lters can be applied at the AP to specify the message stream:

Minimum Received Signal Strength Indicator (RSSI). Transfers messages that meet the congured RSSI threshold. Messages received with an RSSI below the congured threshold are omitted. The customer's Application Server handles the business logic and presentation of the IoT report. The Application Server:

Calculates the distance between the BLE tag and the AP, based on the signal strength for the tag/

NNote Only scanned frames with Eddystone-url format are supported. The UUID must be 0xFEAA. raft radio channel Maps AP Serial Number to a physical location Tracks BLE tags. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. From ExtremeWireless, congure Eddystone-url Scan parameters under AP conguration. Refer to the Integration Guide for details on the format of the beacon RTLS message. To congure Eddystone-url Scan support from the IIoT tab:

Conguring Eddystone-url Scan From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. ExtremeWireless V10.41.06 User Guide 195 Conguring the ExtremeWireless APs 5 From the Application eld, select Eddystone-url Scan. D Figure 39: Eddystone-url Scan Application 6 Congure the following parameters:

Table 20: Eddystone-url Scan Settings FField Description Determines application type. Select Eddystone URL Scan IP address of the customer Application Server that receives the beacon report. raft This is the signal strength required to include the packet in the BLE report. Valid values: -10 to -100. Default value is -100. Data from beacons with an RSSI that is less than the Min RSSI congured value is ltered out. Determines how long to scan per channel. Valid values are Min

(100ms) and Max (10240ms).Value must be less than Scan Interval value. Default value is 100ms. Destination Port on the customer Application Server that presents the beacon report. Determines how long to wait between scans. Valid values are: Min

(100ms) and Max (10240ms). The default value is Min (100ms). Application Destination IP Address Destination Port Scan Interval Scan Window Min RSSI Related Links Eddystone-url Scan on page 195 IoT Multi-Edit Conguration on page 129 Conguring IoT Applications on page 189 IoT Thread Gateway The ExtremeWireless Thread Network solution makes use of a single infrastructure to combine a wireless network with an IoT sensor network, while integrating with an enterprise backbone network. ExtremeWireless V10.41.06 User Guide 196 Conguring the ExtremeWireless APs Each AP391x, with integrated BLE/802.15.4 radios, creates a separate Thread Network identied with a separate PAN ID. Sensors scan, nd the AP Thread Network, and build a Mesh network with that AP serving as the border gateway router. The AP routes network traffic between its own Thread Network interface and the IoT interface. To congure a Thread Network, do the following:

Congure a VNS:

Create a new VNS. Enable IPv6 multicast Assign a VLAN. Related Links NNote The VLAN must have a Router with DHCPv6-PD Thread Network supports IPv6 addressing only. If the DHCPv6 server provides global address, all sensors in the network receive the global address, and therefore, can be managed from the Cloud IPv6 network. D Congure IoT Thread Gateway on an AP391x. Congure a WLANS with an IoT port enabled. Congure a whitelist that denes the allowed sensor nodes and joiner sensors for the Thread Network. Note If the whitelist is not congured, all sensors with password THREAD are accepted into the network. raft Conguring an AP as a Thread Gateway on page 197 Advanced Thread Gateway Properties on page 198 Managing an IoT Whitelist on page 671 IoT Multi-Edit Conguration on page 129 From the top menu, click AP. The AAP screen displays. 1 2 Click the AP row (not the check box) for an AP model that offers a BLE/802.15.4 radio. To congure the Thread Network on each supported AP, take the following steps:

The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. Conguring an AP as a Thread Gateway ExtremeWireless V10.41.06 User Guide 197 Conguring the ExtremeWireless APs 5 From the Application eld, select Thread Gateway and click Advanced. D Figure 40: IoT Admin Tab Thread Gateway Application The AAdvanced Thread Gateway parameters dialog displays. Related Links Advanced Thread Gateway Properties on page 198 IoT Thread Gateway on page 196 Advanced Thread Gateway Properties raft Congure the following parameters on the selected AP. The AP serves as a border gateway router for its own Thread Network. ExtremeWireless V10.41.06 User Guide 198 Conguring the ExtremeWireless APs D Figure 41: IoT Thread Gateway PropertiesDNNote The congured Thread Gateway displays on the Active Clients report, indicating that the gateway is up and running. Table 21: Thread Gateway Properties Field Description Determines application type. Select Thread Gateway Thread Network name. Default value is the AP serial number. Each AP creates a separate Thread Network identied with separate Short PAN ID and Extended PAN ID. raft A 16-bit, MAC-layer addressing eld used in RF data transmissions between devices in a Thread Network. The default value is derived from the AP serial number. The Short PAN ID identies the APs Thread Network. A 64-bit, MAC-layer addressing eld used in RF data transmissions between devices in a Thread Network. The default value is derived from the AP serial number. This value must be unique. It is used for a more specic network identication. Indicates the Network Master Key used to encrypt communication between nodes in a Thread Network. The IEEE Standard: 802.15.4 AP channel number. Application Name Channel Short PAN ID Extended PAN ID Master Key Related Links Conguring an AP as a Thread Gateway on page 197 IoT Thread Gateway on page 196 Setting Up the Wireless AP Using Static Conguration Static conguration settings allow you to set up branch office support. These settings can be employed whenever required, and are not dependent on branch topology. In the branch office model, while the controller is at a central office, APs are installed in remote sites. The APs must be able to interact in both ExtremeWireless V10.41.06 User Guide 199 Conguring the ExtremeWireless APs the local site network and the central office network. When this is the case, a static conguration is recommended. For initial conguration of a wireless AP to use a static IP address assignment:

Allow the AP to rst obtain an IP address using DHCP. By default, APs are congured to use the DHCP IP address conguration method. Allow the AP to connect to the controller using the DHCP assigned IP address. After the AP has successfully registered to the controller, use the SStatic Conguration tab to congure a static IP address for the AP, and then save the conguration. Once the static IP address has been congured on the AP, the AP can then be moved to its target location, if applicable. To set up a wireless AP using static conguration:

From the top menu, click AP. The AAP screen displays. Note If a wireless AP with a statically congured IP address (without a statically congured Wireless Controller Search List) cannot register with the controller within the specied number of retries, the wireless AP uses SLP, DNS, and SLP multicast as a backup mechanism. D 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the Static Conguration tab. 5 Congure the following parameters:

raft Caution Caution should be exercised when using this feature. For more information, see Conguring VLAN Tags for Wireless APs on page 203. If the Wireless AP VLAN is not congured properly (wrong tag), connecting to the AP may not be possible. To recover from this situation, you need to reset the AP to its factory default settings. For more information, see the Extreme Networks ExtremeWireless Maintenance Guide . a Select a VLAN (Virtual LAN) setting for the AP. ExtremeWireless V10.41.06 User Guide 200 Conguring the ExtremeWireless APs b Select a method of IP address assignment for the AP. D raft NNote Client Port conguration is available for the AP3912. For more information, see Assigning WLAN Services to Client Ports on page 170. Table 22: Static Conguration Properties Field/Button Description VLAN Settings Tagged Untagged VLAN ID Select if you want to assign this AP to a specic VLAN and type the value in the box. Select if you want this AP to be untagged. This option is selected by default. Enter a VLAN ID. Valid values are 2 to 4094 IP Address Assignment ExtremeWireless V10.41.06 User Guide 201 Conguring the ExtremeWireless APs Table 22: Static Conguration Properties (continued) FField/Button Description Use DHCP Select to enable Dynamic Host Conguration Protocol (DHCP). This option is enabled by default. Static Values Select to specify the IP address of the AP. IP Address Netmask Type the IP address of the AP. Type the appropriate subnet mask to separate the network portion from the host portion of the address. Gateway Type the default gateway of the network. Ethernet Port Ethernet Speed Ethernet Mode D Tunnel MTU If the AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. If the AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. Wireless Controller Search List Applies to the AP38xx and AP39xx only. Click to Enable Link Aggregation Control Protocol. This feature allows higher throughput by combining the two Ethernet ports. This feature is disabled by default. Enter a static MTU value, from 600 to 1500, in the Tunnel MTU box. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). If the wireless software cannot discover the MTU size, it enforces the static MTU size. Set the MTU size to allow the source to reduce the packet size and avoid the need to fragment data packets in the tunnel. raft In the Add box, type the IP address of the controller that will control this AP then click the Add button to add the IP address is added to the list. Repeat this process to add the IP addresses of up to three controllers. This feature allows the AP to bypass the discovery process. If the Wireless Controller Search List box is not populated, the AP uses SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a controller. For the initial AP deployment, it is necessary to use one of the described options in Discovery and Registration on page 120. Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the rst controller in the list. Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the rst controller in the list. Click to remove the controller from the list so that it can no longer control the AP. LACP Up Down Delete Add Additional Buttons Copy to Defaults To make this APs conguration be the systems default AP settings, click Copy to Defaults. A pop-up dialog asking you to conrm the conguration change is displayed.To conrm resetting the systems default AP settings, click OK. ExtremeWireless V10.41.06 User Guide 202 Conguring the ExtremeWireless APs Table 22: Static Conguration Properties (continued) FField/Button Description Reset to Defaults If you have an AP that is already congured with its own settings, but would like the AP to be reset to use the systems default AP settings, use the Reset to Defaults feature Apply Click to save your changes. Related Links AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Setting Up 802.1x Authentication for a Wireless AP on page 203 Conguring VLAN Tags for Wireless APs D require VLAN tagging. To congure Wireless APs with a VLAN tag:

1 Connect the AP in the central office to the controller port (or to a network point) that does not Caution Exercise caution while conguring a VLAN ID tag. If a VLAN tag is not congured properly, the connectivity between the controller and the AP will be lost. raft 2 From the top menu, click AP. 3 Click the Static Conguration tab. 4 In the VLAN Settings section, select Tagged - VLAN ID. 5 In the Tagged - VLAN ID text box, type the VLAN ID on which the AP operates. 6 To save your changes, click Save. The AP reboots and loses connection with the controller. 7 Log out from the controller. 8 Disconnect the AP from the central office network and move it to the target location. 9 Power up the AP. The AP connects to the controller. If the AP does not connect to the controller, the AP was not congured properly. To recover from this situation, reset the AP to its factory default settings, and recongure the static IP address. Setting Up 802.1x Authentication for a Wireless AP 802.1x is an authentication standard for wired and wireless LANs. The 802.1x standard can be used to authenticate access points to the LAN to which they are connected. 802.1x support provides security for network deployments where access points are placed in public spaces. ExtremeWireless V10.41.06 User Guide 203 Conguring the ExtremeWireless APs To successfully set up 802.1x authentication of a Wireless AP, the AP must be congured for 802.1x authentication before the AP is connected to a 802.1x enabled switch port. CCaution If the switch port to which the AP is connected is not 802.1x enabled, the 802.1x authentication does not take effect. 802.1x authentication credentials can be updated at any time, whether or not the AP is connected with an active session. If the AP is connected, the new credentials are sent immediately. If the AP is not connected, the new credentials are delivered the next time the AP connects to the controller. There are two main aspects to the 802.1x feature:

Credential management The controller and the AP are responsible for the requesting, creating, deleting, or invalidating the credentials used in the authentication process. EAP-TLS Authentication The AP is responsible for the actual execution of the EAP-TLS or PEAP protocol. D 802.1x authentication can be congured on a per-AP basis. For example, 802.1x authentication can be applied to specic APs individually or with a multi-edit function. The 802.1x authentication supports two authentication methods:

PEAP (Protected Extensible Authentication Protocol) Is the recommended 802.1x authentication method Requires minimal conguration effort and provides equal authentication protection to EAP-TLS Uses user ID and passwords for authentication of access points Requires more conguration effort Requires the use of a third-party Certicate Authentication application Uses certicates for authentication of access points The controller can operate in either proxy mode or pass through mode. raft Note Although a wireless AP can support using both PEAP and EAP-TLS credentials simultaneously, it is not recommended to do so. Instead, it is recommended that you use only one type of authentication and that you install the credentials for only that type of authentication on the wireless AP. Proxy mode The controller generates the public and private key pair used in the certicate. Pass through mode The certicate and private key are created by the third-party Certicate Authentication application. Related Links AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates on page 209 ExtremeWireless V10.41.06 User Guide 204 Conguring the ExtremeWireless APs Conguring 802.1x EAP-TLS Authentication EAP-TLS authentication uses certicates for authentication. A third-party Certicate Authentication application is required to congure EAP-TLS authentication. Certicates can be overwritten with new ones at any time. With EAP-TLS authentication, the controller can operate in the following modes:

Proxy Mode on page 205 Pass Through Mode on page 207 NNote When a wireless AP that is congured with 802.1x EAP-TLS authentication is connected to a controller, the AP begins submitting logs to the controller thirty days before the certicate expires to provide administrators with a warning of the impending expiry date. Proxy Mode D From the top menu, click AP. To Congure 802.1x EAP-TLS Authentication in Proxy Mode:

1 2 In the AP list, click the wireless AP (not the check box) for which you want to congure 802.1x EAP-

In proxy mode, the controller generates the public and private key pair used in the certicate. You can specify the criteria used to create the Certicate Request. The Certicate Request that is generated by the controller is then used by the third-party Certicate Authentication application to create the certicate used for authentication of the Wireless AP. To successfully congure 802.1x authentication of a Wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on a 802.1x enabled switch port. raft TLS authentication. 3 Click the 8802.1x tab. 4 Click Generate Certicate Signing Request. The GGenerate Certicate Signing Request window is displayed. ExtremeWireless V10.41.06 User Guide 205 Conguring the ExtremeWireless APs raft5 Type the criteria to be used to create the certicate request. All elds are required:

Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP. Email address The email address of the organization

(See Table 23 on page 212 for credential parameters and values.) 6 Click Generate Certicate Signing Request. A certicate request le is generated (.csr le extension). The name of the le is the AP serial number. The FFile Download dialog is displayed. 7 Click Save. The SSave as window is displayed. 8 Navigate to the location on your computer that you want to save the generated certicate request le, and then click Save. 9 In the third-party Certicate Authentication application, use the content of the generated certicate request le to generate the certicate le (.cer le extension). 10 On the 8802.1x tab, click Browse. The CChoose le dialog is displayed. ExtremeWireless V10.41.06 User Guide 206 Conguring the ExtremeWireless APs 11 Navigate to the location of the certicate le, and click Open. The name of the certicate le is displayed in the X509 DER / PKCS#12 le box. 12 To save your changes, click Save. The 802.1x EAP-TLS (certicate and private key) authentication in proxy mode is assigned to the AP. The wireless AP can now be deployed to a 802.1x enabled switch port. Pass Through Mode In pass through mode, the certicate and private key are created by the third-party Certicate Authentication application. To successfully congure 802.1x authentication of a wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on a 802.1x enabled switch port. From the top menu, click AP. Before you congure 802.1x using EAP-TLS authentication in pass through mode, create a certicate using the third-party Certicate Authentication application and save the certicate le in PKCS #12 le format (.pfx le extension) on your system. D TTo Congure 802.1x EAP-TLS Authentication in Pass Through Mode:

7 In the Password box, type the password that was used to protect the private key. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the 8802.1x tab. 5 Click Browse. The CChoose le window is displayed. 6 Navigate to the location of the certicate le (.pfx) and click Open. The name of the certicate le is raft Note The password that was used to protect the private key must be a maximum of 31 characters long. The 802.1x EAP-TLS authentication in pass through mode is assigned to the wireless AP. The AP can now be deployed to a 802.1x enabled switch port. displayed in the X509 DER / PKCS#12 le box. 8 To save your changes, click Save. Viewing 802.1x Credentials When 802.1x authentication is congured on a wireless AP, the light bulb icon on the 802.1x tab for the congured AP is lit to indicate which 802.1x authentication method is used. A wireless AP can be congured to use both EAP-TLS and PEAP authentication methods. For example, when both EAP-TLS ExtremeWireless V10.41.06 User Guide 207 Conguring the ExtremeWireless APs and PEAP authentication methods are congured for the AP, both light bulb icons on the 802.1x tab are lit. NNote You can view only the 802.1x credentials of wireless APs that have an active session with the controller. If you attempt to view the credentials of a wireless AP that does not have an active session, the AAP Credentials window displays the following message: Unable to query wireless AP: not connected. To view current 802.1x credentials:

From the top menu, click AP. 1 2 In the AP list, click the wireless AP (not the check box) for which you want to view its current 802.1x credentials. 3 Select the 8802.1x tab. 4 In the Current Credentials section, click Get Certicate details. D The WWireless AP Credentials window is displayed. raft ExtremeWireless V10.41.06 User Guide 208 Conguring the ExtremeWireless APs Deleting 802.1x Credentials CCaution Exercise caution when deleting 802.1x credentials. For example, deleting 802.1x credentials may prevent the AP from being authenticated or cause it to lose its connection with the controller. To delete current 802.1x credentials:

From the top menu, click AP. 1 2 In the AP list, click the wireless AP (not the check box) for which you want to view its current 802.1x credentials. 3 Select the 8802.1x tab. 4 Do the following:

To delete EAP-TLS credentials, click Delete EAP-TLS credentials. To delete PEAP credentials, click Delete PEAP credentials. D The credentials are deleted and the AP settings are updated.DDNote If you attempt to delete the 802.1x credentials of a wireless AP that currently does not have an active session with the controller, the credentials are deleted only after the AP connects with the controller. raft When you use the AP 802.1x Multi-edit feature, you can choose to:

Assign EAP-TLS authentication based on generated certicates to multiple APs by uploading a .pfx, .cer, or .zip le. Assign PEAP credentials to multiple APs based on a user name and password that you dene In addition to conguring APs individually, you can also congure 802.1x authentication for multiple APs simultaneously by using the AP 802.1x Multi-edit feature. To congure 802.1x EAP-TLS Authentication in Proxy Mode using Multi-edit:

Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates ExtremeWireless V10.41.06 User Guide 209 Conguring the ExtremeWireless APs 1 From the top menu, click AP. The AAP screen displays. ft 2 In the AAPs list, select one or more APs to congure. To search for a specic AP, enter the AP in the search bar and click

. 3 Click Actions > Manage Certicates 4 In the Certicate Signing Request section, type the following:

Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP

(see Table 23 on page 212 for credential parameters and values). Email address The email address of the organization Key Size If the email address key size is different from the default value shown, you can change it by selecting a new value from the drop down menu. ExtremeWireless V10.41.06 User Guide 210 Conguring the ExtremeWireless APs 5 Click Generate Certicates. The AAP 802.1x Multi-edit progress dialog is displayed, which provides the status of the conguration process. Once complete, the FFile Download dialog is displayed. 6 Click Save. The SSave as window is displayed. 7 Navigate to the location on your computer that you want to save the generated certicate_requests.tar le, and then click Save. The certicate_requests.tar le contains a certicate request (.csr) le for each AP. 8 Do one of the following:

For each certicate request, generate a certicate using the third-party Certicate Authentication application. This method produces a certicate for each wireless AP. Once complete, zip all the certicates les (.cer) into one .zip le. Use one of the certicate requests and generate one certicate using the Certicate Authentication application. This method produces one certicate that can be applied to all APs. Conguring 802.1x EAP-TLS Authentication in Pass Through Mode Using Multi-edit 9 In the Bulk Certicate Upload section, click Browse. The CChoose le window is displayed. 10 Navigate to the location of the le (.zip or .cer), and then click Open. The name of the le is displayed in the PFX, CER or ZIP Archive box. D 11 Click Upload and Set certicates. Once complete, the Settings updated message is displayed in the footer of the Wireless Assistant. The 802.1x EAP-TLS authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. When you congure 802.1x EAP-TLS authentication in pass through mode using Multi-edit, do one of the following:

Generate a certicate for each AP using the third-party Certicate Authentication application. When generating the certicates:

Use the Common name value (either Name, Serial, or MAC) of the AP to name each generated raft Generate one certicate, using the third-party Certicate Authentication application, to be applied to all APs. When generating the certicate, use the Common name value (either Name, Serial, or MAC) of the wireless AP to name the generated certicate. Use a common password for each generated certicate. All .pfx les created by the third-party Certicate Authentication application must be zipped into The 802.1x PEAP authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. certicate. one le. Managing Certicates To congure certicates, take the following steps:

ExtremeWireless V10.41.06 User Guide 211 Conguring the ExtremeWireless APs 1 Certicate Signing Request Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP

(see Table 23 on page 212 for credential parameters and values). Email address The email address of the organization Key Size If the email address key size is different from the default value shown, you can change it by selecting a new value from the drop down menu. 2 Click Generate Certicates. The AAP 802.1x Multi-edit progress window is displayed, which provides 5 Do one of the following:

Authentication application. This method produces one certicate that can be applied to all APs. the status of the conguration process. Once complete, the FFile Download dialog is displayed. 3 Click Save. The SSave as window is displayed. 4 Navigate to the location on your computer that you want to save the generated D certicate_requests.tar le, and then click Save. The certicate_requests.tar le contains a certicate request (.csr) le for each AP. Bulk Certicate Upload 6 Click Browse. The CChoose le window is displayed. 7 Navigate to the location of the le (.zip or .cer), and then click Open. The name of the le is For each certicate request, generate a certicate using the third-party Certicate Authentication application. This method produces a certicate for each wireless AP. Once complete, zip all the certicates les (.cer) into one .zip le. Use one of the certicate requests and generate one certicate using the Certicate raft footer of the Wireless Assistant. The 802.1x EAP-TLS authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. PEAP authentication uses user ID and passwords for authentication. To successfully congure 802.1x authentication of a wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on an 802.1x enabled switch port. 9 In the Username drop-down list, click the value you want to assign as the user name credential:

10 In the Password drop-down list, click the value you want to assign as the password credential. 8 Click Upload and Set certicates. Once complete, the Settings updated message is displayed in the displayed in the PFX, CER or ZIP Archive box. PEAP Authentication Table 23: Credential Parameters Parameter Value Name The name of the wireless AP, which is assigned on the AP Properties tab. The AP name can be edited. Serial The serial number of the AP. This setting cannot be edited. ExtremeWireless V10.41.06 User Guide 212 Conguring the ExtremeWireless APs Table 23: Credential Parameters (continued) PParameter Value MAC Other The MAC address of the AP. The setting cannot be edited. Click to specify a custom value. A text box is displayed. In the text box, type the value you want to assign as the user name credential. 11 To save your changes, click Save. The 802.1x PEAP authentication conguration is assigned to the AP. The AP can now be deployed to an 802.1x enabled switch port. Related Links Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates on page 209 Conguring Co-Located APs in Load Balance Groups D You can congure APs that are co-located in an open area, such as a classroom, a conference hall, or an entrance lobby, to act as a load balance group. Load balancing distributes clients across the co-located APs that are members of the load balance group. The co-located APs should provide the same SSID, have Line-of-Sight (LoS) between each other, and be deployed on multiple channels with overlapping coverage. Assign an AP's radio to the load balance group for the client distribution to occur. Load balancing occurs only among the assigned AP radios of the load balance group. Each radio can be assigned only to one load balance group. Multiple radios on the same AP do not have to be in the same load balance group. The radios that you assign to the load balance group must be on APs that are controlled by the same controller. raft The load balance group uses one or more WLAN services for all APs assigned to the load balance group. You can congure two types of load balance groups:

Client Balancing load group performs load balancing based on the number of clients across all APs in the group and only for the WLANs assigned to the load group. This is different from load control in the Radio Preference group load control APs make decisions in isolation from each other. steering is a mechanism to move 11a-capable clients to the 11a radio on the AP, relieving congestion on the 11g radio. No balancing is done between the 11a and 11g radios. Load control is disabled by default. A radio load group executes band preference steering and/or load control across the radios on each AP in the group. Each AP balances in isolation from the other APs, but all APs in the load group have the same conguration related to the band preference and load control. Radio Preference load group performs band preference steering and load control. Band preference Client balancing on the controller is AP-centric and requires no input from the client. The AP radios in the client balance group share information with secure (AES) messaging using multicast on the wired network. All APs in a client balance group must be in the same SIAPP cluster to ensure that each AP can reach all other APs in the client balance group over the wired subnet. If the APs in a client balance group are not in the same SIAPP cluster, client balancing happens independently within the subgroups dened by SIAPP clusters. The benets of conguring your co-located APs that are controlled by the same controller as a client balance group are the following:

ExtremeWireless V10.41.06 User Guide 213 Conguring the ExtremeWireless APs Resource sharing of the balanced AP Efficient use of the deployed 2.4 and 5 GHz channels Reduce client interference by distributing clients on different channels Scalable 802.11 deployment: if more clients need to be served in the area, additional APs can be deployed on a new channel You can assign a maximum of 32 APs to a client balance group. Table 24 lists the maximum number of load balance groups for each controller. Table 24: Maximum Number of Load Balance Groups EExtremeWireless Appliance Number of load balance groups C4110 32 C5110 C5210 D C5215 C25 64 64 64 8 C35 V2110 V2110 (MS Hyper-V platform) Currently, all APs support load balance groups. 8 32 64 raft Creating a Load Balance Group To create a load balance group:

From the top menu, click AP. 1 2 In the left pane, click Load Groups. 3 Click New. The AAdd Load Group window displays. To create a load balance group, see Creating a Load Balance Group on page 214. 4 Enter a unique name for a load group ID, and select a Type from the drop-down menu and then click Add. The options are:

Client Balancing load balancing based on the number of clients across all APs in the load balance group and only for the WLANs assigned to the group. Radio Preference band preference steering and load control on this load group. If you are adding a Client Balancing load balancing group, the RRadio Assignment tab becomes available. ExtremeWireless V10.41.06 User Guide 214 Conguring the ExtremeWireless APs raftIf you are adding a Radio Preference load balancing group, the RRadio Preference tab becomes available. ExtremeWireless V10.41.06 User Guide 215 Conguring the ExtremeWireless APs D The radios for both types of load groups can be assigned to a WLAN, on the WWLAN Assignment tab. raft ExtremeWireless V10.41.06 User Guide 216 Conguring the ExtremeWireless APs You can lter the display of AP Groups. In the left pane, Expand Client Balancing to see only Client Balancing groups. Expand Radio Preference to see only Radio Preference groups. raft NNote For more information about the elds on these screens, see Conguration Parameters for AP Load Groups on page 217. Description Table 25: AP Load Groups Field/Button Conguration Parameters for AP Load Groups Load Group ID Type Enter a unique name for the load group. You can create load groups with the same name on different controller; however, the groups are treated as separate groups according to the home controller where the group was originally created. The type of load group is displayed. Options include:

Client Balancing - select to perform load balancing based on the number of clients across all APs in the load balance group and only for the WLAN Services assigned to the group. Radio Preference - select to perform band preference steering and enforce load control settings on this load group. ExtremeWireless V10.41.06 User Guide 217 Conguring the ExtremeWireless APs Table 25: AP Load Groups (continued) FField/Button Description New Delete Save Click to create a new load group. The AAdd Load Group window. Click to delete this load group. Click to save your changes. Radio Assignment tab - Available for load groups assigned the Client Balancing type. Select AP Radios D Radio Preference tab - Available for load groups assigned the Radio Preference type From the drop-down menu, select the AP radios that you want to assign to the load group. Options include:

All radios Radio 1 Radio 2 Clear all radios You can assign a radio to only one load balance group. A radio that is assigned to another load balance group has an asterisk next to it. If you select a radio that has been assigned to another load balance group, the radio is reassigned to the new load balance group. Note: You can assign each radio of an AP to different load balance groups. raft Select the Enable check box to enable band preference for this load group. You can apply band preference to a VNS assigned in the load group. Enabling band preference enables you to move an 11a-capable client to an 11a radio to relieve congestion on an 11g radio. A client is considered 11a capable if the AP receives requests on an 11a VNS that already belongs to a load group with band preference enabled. After you congure band preference, if a client tries to re-associate with an 11g radio, it is rejected if the AP determines that the client is 11a capable. Select the following parameters for each radio assigned to this load group:

Enable: Select this check box to enable Radio Load Control (RLC) for individual radios (Radio1 and Radio2) associated with this Load Group. 1 and Radio 2. The default limit is 60. The valid range is: 5 to 60. Strict Limit: Select this check box to enable a strict limit on the Max. # of Clients: Enter the maximum number of clients for Radio number of clients allowed on a specic radio, based on the max #

of clients allowed. Limits can be enforced separately for radio1 and radio 2. Band Preference Load Control AP Assignment Select the APs on which you want to enforce the Band Preference and Load Control settings. ExtremeWireless V10.41.06 User Guide 218 Conguring the ExtremeWireless APs Table 25: AP Load Groups (continued) FField/Button Description WLAN Assignment tab WLAN Name Click the check box of the one or more WLAN services that you want to assign to all member radios of the load balance group. You can select up to the radio limit of eight VNSs. When you assign a radio to a load group, WLAN service assignment can be done only from the WLAN Assignment tab on the WWireless AP Load Groups screen. On all other WLAN Assignment tabs associated with the member AP radios, the radio check box associated with the member AP radios is grayed out. When you remove a radio from a load group, the load groups WLAN service remains assigned to the radio, but you can now assign a different WLAN service to the radio. How Availability Mode Affects Load Balancing D All radios assigned to a load group must belong to APs that are all controlled by the same controller. Availability mode can be congured only from the home controller on which the load group was created. Load balancing continues to operate if member APs fail over to the foreign controller as long as the WLAN service assignment remains the same. To ensure that load balancing works properly in availability mode, enable synchronization of the system conguration and the WLAN services used by the load group when you congure availability mode. If you do not enable synchronization, the radios on any AP that fails over may be removed from their assigned load groups. For more about availability mode, see Conguring Availability Using the Availability Wizard on page 539. raft If you have congured synchronization, you cannot change the WLAN assignments from the foreign controller. If you have not congured synchronization, you must congure the foreign controller to ensure that all AP radios in the load balance group have the same WLAN services assigned before the AP fails over, as originally congured for the load group. If the WLAN services assigned do not match when an AP fails over, the affected AP radios are removed from the load group. If you change the WLAN services to match after the AP fails over, the AP radios still are not allowed to be in the load group. Reconnect the AP to the home controller to have the radios become part of the load group again. If you have not congured synchronization, in a failover situation you are able to change the load balance groups WLAN service assignment from the VVNS Conguration screens and the WWireless AP WLAN Assignment screens on the foreign controller. Load Balance Group Statistics You can view load balance group statistics through the Active Wireless Load Groups report. For more information, see Viewing Load Balance Group Statistics on page 631. ExtremeWireless V10.41.06 User Guide 219 Conguring the ExtremeWireless APs Conguring an AP Cluster APs operating in both t mode and standalone mode operate in a cluster setup. A cluster is a group of APs congured to communicate with each other. Mobile users (MU) can seamlessly roam between the APs participating in the cluster. Wireless APs extend basic cluster functions with the following enhancements:

Client balancing across AP in the Load Group Client session synchronization between APs in the Site APs operating on the same subnet with multicast and IGMP (Internet Group Management Protocol) snooping enabled can be formed into a cluster. You assign each AP a common, default cluster ID

(shared secret). Each AP caches locally-stored information about the other cluster members and maintains its own view of the cluster including the client session information in the Site. D An AP cluster can exist at any point in your network. Each cluster member periodically (every 30 seconds) sends a secure SIAPP (Siemens Inter-AP Protocol) multicast message to update other cluster members. The SIAPP message includes:

The AP name The AP Ethernet MAC address The AP IP address The client count The base BSSIDs for both radios Client session information in a case when APs are members of a Site raft To change an AP clusters conguration:

From the top menu, click AP. 1 ExtremeWireless V10.41.06 User Guide 220 Conguring the ExtremeWireless APs 2 In the left pane, click Global Settings > AP Registration. D 3 In the Secure Cluster section, enter a cluster shared secret. 4 Enable cluster encryption by clicking on the User Cluster Encryption check box. APs on which user cluster encryption is disabled cannot participate in the cluster. 5 Enable or disable support for inter-AP roaming by clicking on the Inter AP Roam check box. 6 Click Save. raft When an AP is Approved as a Guardian:

The AP becomes a full time RADAR agent. The AP is added to a Guardian scan prole. The AP no longer provides services (WLAN service, load group, site) that were provided prior to the Wireless access points that are congured as Guardians do not bridge traffic and instead devote all of the APs resources to threat detection and countermeasures. Conguring an AP as a Guardian change. Note Once an AP is assigned to a Guardian Scan Prole it will stop forwarding traffic on both radios. To congure an AP as a Guardian Scan Prole:

From the top menu, click WIPS. 1 2 In the left pane, expand Radar Proles. ExtremeWireless V10.41.06 User Guide 221 Conguring the ExtremeWireless APs 3 In the left pane, expand Guardian Scan and select an AP from the list or click New. 4 In the AAdd Scan Prole dialog, select Guardian from the Prole drop-down. D 5 Click Add. For more information, see Conguring a Guardian Scan Prole on page 577. raft ExtremeWireless offers a scalable captive portal solution on the AP that can be managed locally or through a Cloud solution. The distributed solution is available on ExtremeWireless AP38xx series and AP39xx series APs. Firewall Friendly External Captive Portal (FFECP) on the AP for B@AP topologies is an extension to Firewall Friendly Captive Portal on the controller for tunneled (B@AC and routed) topologies. You can congure the FFECP with full authentication using a URI and signature, or you can congure a RADIUS server, authenticating with a user name and password. Conguring a Captive Portal on an AP To congure an External Captive Portal on an AP, the following is required:

The WLAN Service topology must be VLAN B@AP. You must congure specic policy rules that denes which traffic is allowed, which traffic is denied, and if using Rule-based Redirection, which traffic is redirected. The Captive Portal must be congured as External Firewall Friendly. Note ExtremeWireless supports a non-topology specic implementation. Extreme will register sub-

domain apcp.ezcloudx.com and populate public/Extreme DNS server with DNS mapping of 1.1.1.1 for FQDN apcp.ezcloudx.com. ExtremeWireless V10.41.06 User Guide 222 Conguring the ExtremeWireless APs In Figure 42, the default Access Control on the VLAN is Deny. Rules are created to allow the ECP URL, allow DNS and DHCP traffic, and to allow all outgoing MU traffic, and to redirect specic traffic. D RRelated Links Figure 42: Example: Policy Rules for non-authenticated role Conguring Firewall Friendly External Captive Portal on an AP on page 223 Controlling Network Access on the AP on page 226 Conguring Firewall Friendly External Captive Portal on page 353 Assigning RADIUS Servers for Authentication on page 340 raft Conguring Firewall Friendly External Captive Portal on an AP To congure a Firewall Friendly External Captive Portal (FFECP) on the AP, take the following steps:

ExtremeWireless V10.41.06 User Guide 223 Conguring the ExtremeWireless APs 1 If conguring Rule-based Redirection, verify that Rule-based Redirection is enabled. Go to VNS >

Global > Filtering Mode and select Enable Rule-Based Redirection. Rule-Based Redirection is enabled by default for new installations of ExtremeWireless v10.11 and later. When upgrading from an earlier version of ExtremeWireless, this option is cleared by default. You must enable Rule-Based Redirection from the FFiltering Mode screen. Note The option to disable Rule-based Redirection is available for backward capability only. Rule-based Redirection relies on policy rules that are dened for HTTP(S) redirection. Non-Rule-

based Redirection automatically redirects an un-authenticated client to ECP when a deny action occurs on HTTP(S) traffic. Note You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . D 3 Create a role and dene specic policy rules. The role must be congured with the following parameters:

From the VVLAN & Class of Service tab, select a default Access Control value for the role. 2 Create a basic topology where the topology mode is Bridge Traffic Locally at AP. The topology can be tagged or untagged. For more information, see Conguring a Basic Topology on page 267 in the User Guide. If using RADIUS authentication, FF-ECP on the AP can work with both local and central RADIUS authentication. raft Select from one of the following:

None - No role dened No change - Default setting Allow - Packets contained to role's default action's VLAN/topology. Deny - Any packet not matching a rule in the Role is dropped. Containment VLAN - Any packet not matching a rule is sent to dened VLAN. For B@AP traffic, only the FF ECP is supported as an external captive portal. ExtremeWireless V10.41.06 User Guide 224 Conguring the ExtremeWireless APs On the PPolicy Rules tab, enable AP Filtering. Congure specic policy lters. Allow DHCP and DNS traffic. Mobile user access to FF-ECP. Allow traffic towards mobile user. HTTP(S) redirection.DDDNote D 4 Congure a WLAN Service with the following parameter settings:

For more information, see Conguring Rule-Based Redirection on page 291 in the User Guide. ExtremeWireless supports a non-topology specic implementation. Extreme will register sub-domain apcp.ezcloudx.com and populate public/Extreme DNS server with DNS mapping of 1.1.1.1 for FQDN apcp.ezcloudx.com. Default Topology = Bridged at AP, tagged or untagged. Select an AP. Congure Privacy settings. Congure the Captive Portal to be External Firewall Friendly.

(Optional) Congure RADIUS servers for RADIUS authentication. For more information, see raft Rule Denition dialog must match the Redirection URL value specied on the FFECP Congure dialog. The Identity and Shared Secret elds are required and must match the values used when you Select the Vendor Specic Attributes (VSAs) for authentication. For more information, see When conguring the Allow policy for the ECP, the IP/subnet value specied on the FFilter Assigning RADIUS Servers for Authentication on page 340 in the User Guide. Congure the following parameters on the ECP:

Vendor Specic Attributes on page 344 in the User Guide. congured the captive portal. Select an option for Send Successful Login To. For FFECP local radius authentication:

The AP must be in Site mode. Local RADIUS authentication is congured on at least one RADIUS server. The Signature option is unchecked. 5 Congure a VNS with the authenticated and non-authenticated policies. Related Links Conguring a Basic Topology on page 267 Conguring Rule-Based Redirection on page 291 ExtremeWireless V10.41.06 User Guide 225 Conguring the ExtremeWireless APs Understanding the Filter Rule Denition Dialog on page 302 Conguring a Basic WLAN Service on page 319 Conguring WLAN Service Privacy on page 330 Conguring Firewall Friendly External Captive Portal on page 353 Assigning RADIUS Servers for Authentication on page 340 Controlling Network Access on the AP AP3916ic Integrated Camera Deployment When Rule-based Redirection is disabled, denied HTTP(S) traffic from an non-authenticated client is automatically redirected to the External Captive Portal by the AP. To control network access after authentication, congure roles that have an Access Control of deny and specify that role under Virtual Networks > General. To congure default roles that deny network access after authentication:

D Roles, select a role or create a new role that has policy rules dened to deny access. For more information, see Understanding the Filter Rule Denition Dialog on page 302 1 Go to Virtual Networks and select a VNS or click New. 2 Specify the default roles for Authenticated network traffic. In the Authenticated eld under Default The AP3916ic features an integrated video camera, offering a single device for wireless access and security purposes. Video management is provided by the customer's Video Management System (VMS) integrated per ONVIF Prole S 2.4 compliance. The camera deployment process is as follows:

raft Per ONVIF specication, video management systems query network through WS-Discovery multicast (239.255.255.250). Allow multicast when conguring the default camera topology. Client IP = IP address of camera module Device Type = Extreme Networks 2 MP Camera (EXTR2MP-CAM) AP = AP camera module is associated with Radio/Port = CAM Packet/Byte counters = Indicate Camera Activity 2 Associate a WLAN B@AP or B@AC topology to the camera port. 3 The camera requests a DHCP address. 4 The EWC Active Clients Report lists the IP address of the camera. You can export the client IP The AP3916ic is connected to the network and the controller discovers the camera IP address. 1 address list to an XML le. ExtremeWireless V10.41.06 User Guide 226 Conguring the ExtremeWireless APs

(Optional) The camera IP address can be detected by third-party tools, such as ONVIF Device Manager. NNote ExtremeWireless manages the AP and camera rmware revision. After initial connection, the AP/camera may undergo a rmware upgrade. The upgrade process runs before the device becomes fully active on the network. 5 Based on the reported IP address of the camera, the user associates the camera to the video surveillance system. For information about camera conguration settings, see Accessing the Camera Web User Interface on page 227. Related Links Camera Direct Stream Subscription D AP3916ic (Integrated Camera) on page 104 Assigning WLAN Services to Client Ports on page 170 Upgrading the Camera Image Manually on page 237 Multicast Filtering on page 281 AP3916ic-Camera Web User Interface on page 227 If your video management system does not support ONVIF/IP camera discovery, subscribe directly using Real Time Streaming Protocol (RTSP). With direct stream, video is streamed through RTSP H. 264 or Motion JPEG (MJPEG):

Stream 1:

raft The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. Max Resolution: 1920x1080 (1080p) RTSP URL: rtsp://<Camera IP>:554/live/ch00_0 Max Resolution: 640x360 RTSP URL: rtsp://<Camera IP>:554/live/ch01_0 Stream 2:

AP3916ic-Camera Web User Interface Extreme Networks offers a web-based user interface to customize and congure the camera. Related Links Accessing the Camera Web User Interface on page 227 Camera UI Basic Functions on page 228 Accessing the Camera Web User Interface Take the following steps to access the AP3916ic Web User Interface:

ExtremeWireless V10.41.06 User Guide 227 Conguring the ExtremeWireless APs 1 Using your browser, navigate to the IP address of the camera. Find the camera IP address on the AP dashboard of the AP3916ic. Go to the AP list and click on an AP3916ic. 2 Enter the camera IP address into your browser. The web UI displays. Figure 43: AP3916ic Web UI 3 Login with default credentials admin/admin The credentials are case sensitive. Later, you can customize these credentials. See User Management on page 235. raft NNote After the initial login, set a password in accordance with your IT policy regulations. Using default credentials is a security vulnerability for your network. Related Links AP3916ic (Integrated Camera) on page 104 Camera UI Basic Functions on page 228 AP3916ic Integrated Camera Deployment on page 226 Camera Direct Stream Subscription on page 227 Camera UI Basic Functions Congure the AP3916ic camera using the web user interface. The AP3916ic web user interface is divided into the following tabs:

System on page 229 Network on page 231 ExtremeWireless V10.41.06 User Guide 228 Conguring the ExtremeWireless APs Media on page 232 User Management on page 235 RRelated Links Accessing the Camera Web User Interface on page 227 AP3916ic (Integrated Camera) on page 104 Camera Direct Stream Subscription on page 227 System System settings for the AP3916ic camera:

Status Displays status information about the system, network, and video streams. D raft Figure 44: Sample System and Network Status ExtremeWireless V10.41.06 User Guide 229 Conguring the ExtremeWireless APs D Figure 45: Sample Video Status Time Date/Time settings for the camera. raft Figure 46: Sample Manual Time settings ExtremeWireless V10.41.06 User Guide 2230 Conguring the ExtremeWireless APs Figure 47: Sample NTP Server Settings D Firmware Browse to the camera image (.dlf le) and apply the image. Camera rmware is distributed and managed from the controlling ExtremeWireless appliance. If GTAC Support determines that a specic rmware version is required on your device, the on-board rmware upload functionality can be used to install the image. GTAC will provide the necessary rmware (.d) le. Backup Save camera settings to a backup le or restore settings from an existing backup le. raft Figure 48: Sample Backup /Restore Settings Reset to Default/Reboot Reset Camera Defaults Rest camera to factory default settings. Backup current settings before resetting to factory default settings. Reboot Camera Restarts the camera. The current camera settings are retained after a camera restart. Network Network settings for the AP3916ic camera. ExtremeWireless V10.41.06 User Guide 2231 Conguring the ExtremeWireless APs IP Conguration Congure network settings for the camera port. NNote Dynamic IP (DHCP) is the default network Mode. D Figure 49: Sample IP Conguration Settings Universal Plug and Play (UPnP) raft Figure 50: Sample Discovery Settings: UPnP Media Congure settings for: video, camera, advanced settings, privacy mask, and audio. Video ExtremeWireless V10.41.06 User Guide 232 Conguring the ExtremeWireless APs raftFigure 51: Sample Video Conguration Settings The video feed assumes a ceiling mount default orientation. When installing the AP in any other orientation, adjust the video feed accordingly. For example,when the AP is installed as a desk-

mount, the video Mirror/Flip setting should be Flip. Camera ExtremeWireless V10.41.06 User Guide 2233 Conguring the ExtremeWireless APs D Figure 52: Sample Camera Settings Advanced raft Figure 53: Sample Camera Advanced Settings Audio ExtremeWireless V10.41.06 User Guide 2234 Conguring the ExtremeWireless APs D Figure 54: Sample Camera Audio Settings User Management Add and delete user accounts, change user settings, and change user password. User List raft Figure 55: User Management Settings NNote You cannot delete the Administrator account. Performing AP Software Maintenance When a new version of AP software becomes available, you can install it from the controller. You can congure each AP to upload the new software version either immediately, or the next time the AP connects to the controller. You can also set up a maintenance cycle for specic APs using the options ExtremeWireless V10.41.06 User Guide 235 Conguring the ExtremeWireless APs available on the AP Maintenance Cycle tab. Part of the AP boot sequence seeks and installs its software from the controller. WWarning Never disconnect an AP from its power supply during a rmware upgrade. Disconnecting an AP from its power supply during a rmware upgrade may cause rmware corruption rendering the AP unusable. You can modify most of the radio properties on an AP without requiring a reboot of the AP. During upgrade, the AP keeps a backup copy of its software image. When a software upgrade is sent to the AP, the upgrade becomes the AP's current image and the previous image becomes the backup. In the event of failure of the current image, the AP runs the backup image. Maintaining the List of Current AP Software Images The following screen appears:

From the top menu, click AP. To maintain the list of current wireless AP software images:

1 2 In the left pane, click Global > Maintenance. D r Figure 56: AP Software Maintenance 3 In the AP Images for Platform drop-down list, click the appropriate platform. 4 To select an image to be the default image for a software upgrade, click it in the list, and then click Set as default. ExtremeWireless V10.41.06 User Guide 236 Conguring the ExtremeWireless APs 5 In the Upgrade Behavior section, select one of the following:

Upgrade when AP connects using settings from Controlled Upgrade The CControlled Upgrade tab is displayed when you click Save. Controlled upgrade allows you to individually select and control the state of an AP image upgrade: which APs to upgrade, when to upgrade, how to upgrade, and to which image the upgrade or downgrade should be done. Administrators decide on the levels of software releases that the equipment should be running. Always upgrade AP to default image (overrides Controlled Upgrade settings) Selected by default. Allows for the selection of a default revision level (rmware image) for all APs in the domain. As the AP registers with the controller, the rmware version is veried. If it does not match the same value as dened for the default-image, the AP is automatically requested to upgrade to the default-image. 6 To save your changes, click Save. Related Links Upgrading the Camera Image Manually on page 237 D Upgrading the Camera Image Manually The camera image (.dlf le) is distributed within the controller builds. The AP manages the camera image camera images are automatically upgraded with the AP image upgrade when a new camera image is available. The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. raft From the top menu, click AP. 1 2 In the left pane, click Global > Maintenance. 3 From the AAP Software Maintenance tab, under Download AP Images:

a Provide the necessary information to download the camera image le. b Select AP3916-Camera as the Platform. c Click Download. You have the option to upgrade the camera image manually if necessary. To upgrade the AP3916ic camera image manually:

4 Under Upgrade Behavior, select Upgrade when AP connects using settings from Controlled Upgrade. ExtremeWireless V10.41.06 User Guide 237 Conguring the ExtremeWireless APs 5 Click Save. The CControlled Upgrade tab displays. D Figure 57: Manually Upgrading Camera Image 6 Select the CControlled Upgrade tab. raft Figure 58: Controlled Upgrade Tab 7 Select AP Platform: AP3916-camera. 8 Select the camera image le. 9 Click Camera Image Upgrade. Scheduling a Maintenance Cycle for Specic APs To schedule a maintenance cycle for specic APs:

ExtremeWireless V10.41.06 User Guide 238 Conguring the ExtremeWireless APs 1 Go to AP. 2 In the left pane, click Global Settings > Maintenance. 3 Click the AAP Maintenance Cycle tab. The following screen appears:

aft 4 Click the Start At box to display the CChoose Time dialog. 5 Adjust the sliders for both Hour and Minute to set the time for the AP maintenance cycle, then click Done. 6 In the Duration drop-down, select the desired duration time (in hours). 7 Under Recurrence, select the desired frequency. 8 Under Platforms, select the AP(s) that are included in the maintenance cycle. 9 Click Save. Deleting a Wireless AP Software Image To delete a wireless AP software image:

From the top menu, click AP. The AAP screen displays. 1 2 In the left pane, click Global > Maintenance. 3 In the AP Images for Platform drop-down list, click the appropriate platform. 4 In the AP Images list, click the image you want to delete. ExtremeWireless V10.41.06 User Guide 239 Conguring the ExtremeWireless APs 5 Click Delete. The image is deleted. Downloading a new Wireless AP Software Image To download a new wireless AP software image:

From the top menu, click AP. 1 2 In the left pane, click Global Settings, then AP Maintenance. The AAP Software Maintenance tab is displayed. 3 In the Download AP Images list, type the following:

FTP Server The IP of the FTP server to retrieve the image le from. User ID The user ID for the controller to use when it attempts to log in to the FTP server. Password The corresponding password for the user ID. Conrm The corresponding password for the user ID to conrm it was typed correctly. Directory The directory on the server in which the image le to be retrieved is stored. Filename The name of the image le to retrieve. Platform The AP hardware type to which the image applies. The are several types of AP and D they require different images. 4 Click Download. The new software image is downloaded. From the top menu, click AP. 1 2 In the left pane, click Global > Maintenance. 3 Under upgrade behavior, select Upgrade when AP connects using settings from Controlled raft Dening Parameters for a Controlled Software Upgrade To dene parameters for a wireless AP controlled software upgrade:

Upgrade. The CControlled Upgrade tab displays. ExtremeWireless V10.41.06 User Guide 240 Conguring the ExtremeWireless APs 4 Click the CControlled Upgrade tab. aft Note The CControlled Upgrade tab is displayed only when the Upgrade Behavior is set to Upgrade when AP connects using settings from Controlled Upgrade on the AAP Software Maintenance tab. 5 In the Select AP Platform drop-down list, click the type of AP you want to upgrade. 6 In the Select an image to use drop-down list, click the software image you want to use for the upgrade. 7 In the list of registered Wireless APs, select the check box for each AP to be upgraded with the selected software image. 8 Click Apply AP image version. The selected software image is displayed in the Upgrade To column of the list. 9 To save the software upgrade strategy to be run later, click Save for later. ExtremeWireless V10.41.06 User Guide 241 Conguring the ExtremeWireless APs 10 To run the software upgrade immediately, click Upgrade Now. The selected AP reboots, and the new software version is loaded. NNote The Always upgrade AP to default image check box on the AAP Software Maintenance tab overrides the Controlled Upgrade settings. 11 To upgrade without interrupting service, click Upgrade without interrupting service. If you click this option while the upgrade scheduler is running, the schedule is interrupted, and the current upgrade cycle calculates a new schedule that includes APs that weren't upgraded. Understanding the ExtremeWireless LED Status 39xx Series Wireless APs After you power on and boot the AP for the rst time, you can congure LED behavior as described in Conguring Wireless AP LED Behavior on page 259. When you power on and boot an AP, you can follow its progress through the registration process by observing the LED sequence as described in the following sections:

39xx Series Wireless APs 38xx Series Wireless APs on page 251 37xx Series Wireless APs on page 255 D raft The following AP39xx model access points are supported by ExtremeWireless:

AP3917i/e AP3916i/e AP3915i/e AP3912i/e AP3935i/e AP3965i/e ExtremeWireless V10.41.06 User Guide 242

 

 

Conguring the ExtremeWireless APs AP3917 LED Indicators D Figure 59: AP3917i LEDs and Features Table 26: AP3917 LEDs IItem Description Status Color raft Indicates that the IoT application is running. Indicates that the radio is enabled. Indicates that the radio is enabled. Indicates AP is working normally. Indicates System Failure. Amber Green Green Green Blue 1 (IoT Radio) 2 (5 GHz radio) 3 (2.4 GHz radio) 4 (Status LED) Table 27: AP3917 Features Item Description 5 6 7 8 Ethernet Port 1 (POE IN) Ethernet Port 2 (Client Port) Console Gore Vent ExtremeWireless V10.41.06 User Guide 243 Conguring the ExtremeWireless APs AP3916 LED Indicators D Figure 60: Front View of AP3916ic The following features are on the front of the AP:

Description raft The power reset button is recessed and located on the top of the AP. Use a tool to press the reset button. The locking pin lets you adjust and set the rotational position of the camera. The thumbscrews let you adjust and set the tilt angle of the camera. Remove the caps to access the thumbscrews. Description IItem 1 - Reset Button 2 - Cap 3 - Thumbscrew 4 - Locking Pin Table 28: LEDs Symbol The following LEDs are located on the top cover of the AP:

Camera IoT (BLE or 802.15.4) ExtremeWireless V10.41.06 User Guide 244 Conguring the ExtremeWireless APs Table 28: LEDs (continued) SSymbol Description Radio 2 (2.4 GHz) Radio 1 (5 GHz) LAN 1 (Ethernet 1) D Status AP3915i LED Indicators The AP3915i has the following LEDs:

raft ExtremeWireless V10.41.06 User Guide 245 Conguring the ExtremeWireless APs raftFigure 61: AP3915i LEDs Table 29: AP3915i LEDs IItem Indicates AP is working normally. Indicates System Failure. 1 (Status LED) Description Amber Status Green 2 (2.4 GHz radio) 3 (5 GHz radio) 4 (IoT Radio) Green Indicates radio is enabled. Green Indicates radio is enabled. Blue Indicates IoT application is running. ExtremeWireless V10.41.06 User Guide 246 Conguring the ExtremeWireless APs NEW! AP3915e LED Indicators AP3915e access points have LED indicators on the front of the box. The LEDs provide the status of the access point indicating on, off,and network activity. aft Description Indicates IoT application is running. Radio 1, 5GHz. Indicates radio is enabled. Figure 62: AP3915e Top View Table 30: AP3915e LED Indicators Status IItem Blue Green 1 (IoT Radio) 2 (5 GHz radio) ExtremeWireless V10.41.06 User Guide 247 Conguring the ExtremeWireless APs Description Radio 2, 2.4GHz. Indicates radio is enabled. Indicates AP is working normally. Indicates System Failure. Table 30: AP3915e LED Indicators (continued) IItem Status Green Green Amber 3 (2.4 GHz radio) 4 (Status LED) AP3912 LED Indicators The AP3912i has six LED indicators. The LEDs provide status information on the current state of the AP3912i. D raft ExtremeWireless V10.41.06 User Guide 248 Conguring the ExtremeWireless APs ftFigure 63: AP3912i LEDs Table 31: AP3912i LED Status Indicators LLED Indicator 1 (Status) 2 (Ethernet link state) LAN 1 Status Green Amber Amber Green Description Indicates AP is working normally System failure Indicates a valid 1Gbps Ethernet link Indicates a valid 10Mbps or 100Mbps Ethernet link ExtremeWireless V10.41.06 User Guide 249 Conguring the ExtremeWireless APs Table 31: AP3912i LED Status Indicators (continued) LLED Indicator Status Description 3 (Radio 1) 4 (Radio 2) 5 (PSE Client Port) Green Indicates Radio 1 is enabled Green Indicates Radio 2 is enabled Green Uplink AP port detects AF PoE

(Power over Ethernet) source 6 (BLE) D AP3935, AP3965 LED Indicators Green Indicates IoT (BLE or 802.15.4) is enabled The AP3935 and AP3965 provide 5 LED indicators. The LEDs provide status information on the current state of the AP. raft Table 32: LED Indications AP3935 and AP3965 LED Status 1 (AP status) 2 (Ethernet link state) LAN 1 On Green Flashing Green On Amber On Green On Amber Description Indicates that the AP is working normally. Indicates:

running a self test loading software program Indicates a CPU/system failure. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. ExtremeWireless V10.41.06 User Guide 250 Conguring the ExtremeWireless APs Table 32: LED Indications AP3935 and AP3965 (continued) LLED Status Description 3 (Ethernet link state) LAN 2 4 (Radio 1 (5 GHz) status) Off On Green On Amber Off On Green Off 5 (Radio 2 (2.4 GHz) status) On Green Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates Radio 1 is enabled. Indicates Radio 1 is not on. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Off D 38xx Series Wireless APs The following AP38xx model access points are supported by ExtremeWireless:

WS-AP3801i WS-AP3805i/e WS-AP3865 WS-AP3825 raf The WS-AP3801i provides three LED indicators. The LEDs provide status information on the current state of the WS-AP3801i. WS-AP3801i LED Indicators Figure 64: AP3801i Top View ExtremeWireless V10.41.06 User Guide 251 Table 33: AP3801i LED Status Indicators LLED Status 1 (Power) On Green Flashing Green On Red On Green 2 (Radio 1 Status) Conguring the ExtremeWireless APs Description Indicates the AP3801 is working normally. Indicates:

running a self test loading software program Indicates a CPU or system failure. Indicates Radio 1 (5.0 GHz) is enabled. Indicates Radio 2 (2.4 GHz) is enabled. 3 (Radio 2 Status)) On Green D WS-AP3805i/e LED Indicators The WS-AP3805i/e provides three LED indicators. The LEDs provide status information on the current state of the WS-AP3805i/e. raft Figure 65: AP3805i/e Top View Table 34: AP3805i/e LED Status Indicators LED Status Description 1 (Power) On Green Flashing Green Indicates the AP3805 is working normally. Indicates:

running a self test loading software program On Red Indicates a CPU or system failure. ExtremeWireless V10.41.06 User Guide 252 Conguring the ExtremeWireless APs Table 34: AP3805i/e LED Status Indicators (continued) LLED Status Description 2 (Radio 1 Status) 3 (Radio 2 Status)) On Green On Green Indicates Radio 1 (5.0 GHz) is enabled. Indicates Radio 2 (2.4 GHz) is enabled. WS-AP3865 LED Indicators The WS-AP3865e has ve LED indicators. The LEDs provide status information on the current state of the WS-AP3865e. D raft Figure 66: WS-AP3865e LEDs ExtremeWireless V10.41.06 User Guide 253 Table 35: WS-AP3865 LED Indications LLED Status 1 (Radio 1 status) 2 (Radio 2 status) 3 (Ethernet link state) LAN 2 On Green Off On Green Off On Green On Amber Off Conguring the ExtremeWireless APs Description Indicates Radio 1 is enabled. Indicates Radio 1 is not on. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. 4 (Ethernet link state) LAN 1 On Green D 5 (AP status) On Amber Off WS-AP3825 LED Indicators The WS-AP3825 has ve LED indicators. The LEDs provide status information on the current state of the WS-AP3825. On Green On Amber Flashing Green Indicates a CPU/system failure. Indicates the WS-AP3865 is working normally. Indicates:

running a self test loading software program raft Figure 67: WS-AP3825 LEDs ExtremeWireless V10.41.06 User Guide 254 Table 36: WS-AP3825 LED Indications LLED Status 1 (AP status) On Green 2 (Ethernet link state) LAN 1 Flashing Green On Amber On Green On Amber Conguring the ExtremeWireless APs Description Indicates the WS-AP3825 is working normally. Indicates:

running a self test loading software program Indicates a CPU/system failure. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Off 3 (Ethernet link state) LAN 2 D 4 (Radio 2 status) On Amber On Green Off Off Off On Green On Green 5 (Radio 1 status) Indicates the link is down. Indicates Radio 1 is not on. Indicates Radio 2 is not on. Indicates Radio 1 is enabled. Indicates Radio 2 is enabled. raft The ExtremeWireless AP37xx series are 802.11n APs, with added capacity for intrusion threat detection and prevention capability. The LED indicators on these are described in the following subsections:

WS-AP3710 LED Indicators on page 256 WS-AP3715 LED Indicators on page 257 AP3765/AP3767/W786C LED Status on page 259 The WS-AP3705i provides four LED indicators (see Figure 68). The LEDs provide status information

(see Table 37) on the current state of the WS-AP3705i. 37xx Series Wireless APs WS-AP3705i LED Indicators ExtremeWireless V10.41.06 User Guide 255 Conguring the ExtremeWireless APs D Figure 68: AP3705i Top View Table 37: AP3705i LED Status Indicators LLED Status On Green Description raft Indicates:

running a self test loading software program Indicates the AP3705 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates Radio 2 (2.4 GHz) is enabled. Indicates a valid 1Gbps Ethernet link. Indicates Radio 1 (5 GHz) is enabled. Indicates a CPU or system failure. Indicates the link is down. Flashing Green On Green On Green On Green On Blue On Red Off 1 (Power) 2 (Ethernet Link) 3 (Radio 2 Status) 4 (Radio 1 Status)) WS-AP3710 LED Indicators Both models (AP3710i and AP3710e) of the WS-AP3710 have four LED indicators, shown in Figure 69. The LEDs provide status information, described in Table 38 on page 257, on the current state of the WS-

AP3710. ExtremeWireless V10.41.06 User Guide 256 Conguring the ExtremeWireless APs D Figure 69: WS-AP3710 LEDs (Front, lower right) Identies Power Indicator LED Table 38: WS-AP3710 LED Indications LLED Status 1 (AP status) On Green Identies LAN Indicator LED Identies Radio Indicator LEDs raft Indicates:

running a self test loading software program Indicates the WS-AP3710 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates a CPU/system failure. Indicates Radio 1 is enabled. Indicates the link is down. Flashing Green Description On Green On Green On Blue On Red Off On Green Indicates Radio 2 is enabled. 2 (Ethernet link state) 3 (Radio 1 status) 4 (Radio 2 status) WS-AP3715 LED Indicators The WS-AP3715 has six LED indicators, as shown in Figure 70. The LEDs provide status information, described in Table 39 on page 258, on the current state of the WS-AP3715. ExtremeWireless V10.41.06 User Guide 257 Conguring the ExtremeWireless APs D Figure 70: WS-AP3715 LEDs Identies Power Indicator LED Table 39: WS-AP3715 LED Indications LLED Status 1 (AP status) Indicator LED Identies LAN Indicator LEDs Identies Radio raft Indicates:

running a self test loading software program Indicates the WS-AP3825 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates a CPU/system failure. Flashing Green Description On Amber On Amber On Green On Green Off Indicates the link is down. 2 (Ethernet link state) LAN 1 3 (Ethernet link state) LAN 2 4 (Radio 2 status) 5 (Radio 1 status) On Green On Amber Off On Green Off On Green Off Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Indicates Radio 1 is enabled. Indicates Radio 1 is not on. ExtremeWireless V10.41.06 User Guide 258 Conguring the ExtremeWireless APs AP3765/AP3767/W786C LED Status The ExtremeWireless AP3765i, W786C, AP3765e, and AP3767e models are nearly identical in appearance (e models have external antenna ports). LED status indicator displays are the same on all three models. The frontal view of the housing cover (see Figure 71) displays six LEDs. These LEDs provide information on operating status. D Figure 71: Wireless Outdoor AP3765/AP3767/W786C LEDs Table 40: AP3765/AP3767 LED Status Indicators LLED Meaning Color raft Ethernet port 1 LED. When green on, indicates Ethernet port activity. When off, Ethernet is off, WDS is enabled. WLAN Radio 2 LED When green on, indicates Radio 2 is active. WLAN Radio 1 LED. When green on, indicates Radio 1 is active. Power LED. When on, indicates AP power is sourced from power supply. PoE power LED. When on, indicates AP power is sourced from PoE. Error LED. When on, indicates error. When off, indicates normal operation, AP connected to controller. L1 PoE P1 R1 R2 F Green Green Green Green Green Red Conguring Wireless AP LED Behavior You can congure the behavior of the LEDs so that they provide the following information:

ExtremeWireless V10.41.06 User Guide 259 Conguring the ExtremeWireless APs Table 41: LED Operational Modes LLED Mode Information Displayed Off Normal Identify Displays fault patterns only. LEDs do not light when the AP is fault free and the discovery is complete. Identies the AP status during the registration process during power on and boot process. All LEDs blink simultaneously approximately two to four times every second. Related Links You can congure the AP LED mode when you congure the following:

An individual AP. Multiple APs simultaneously. D Default AP behavior.DDDNote To congure the AP LED operational mode when conguring an individual wireless AP:

AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 You can congure all four AP LED modes if you congure an individual AP or multiple APs simultaneously. If you congure the default AP behavior, the only LED modes available are Off and Normal. raft The AAP Conguration page displays with the AAP Properties tab exposed. 3 On the AAP Properties tab, click Advanced . 4 In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. From the top menu, click AP > APs. 1 2 In the AP list, click a wireless AP (not the check box). Conguring Operational Mode with Multi-Edit Conguring Operational Mode for One AP To set the AP LED Operational Mode when using the AP Mulit-edit feature:

From the top menu, click AP. 1 2 Select the check box for more than one AP. 3 Click Actions > Multi Edit. The MMulti Edit dialog displays. 4 In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. ExtremeWireless V10.41.06 User Guide 260 Conguring the ExtremeWireless APs Conguring AP Operational Mode Default Behavior To set the AP LED Operational Mode when conguring default AP behavior:

From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP tab that corresponds to the type of AP that you want to congure. 4 Click Advanced. The AAdvanced window displays. In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. D raft ExtremeWireless V10.41.06 User Guide 261 5 Conguring Topologies TTopology Overview Conguring the Admin Port Conguring a Basic Data Port Topology Creating a Topology Group Edit or Delete a Topology Group Enabling Management Traffic Layer 3 Conguration Exception Filtering Multicast Filtering D Topology Overview A topology can be thought of as a VLAN (Virtual LAN) with at least one egress port, and optionally, sets of services, exception lters and multicast lters. ExtremeWireless makes use of a number of different topology modes:

Admin - This is the topology to which the management plane's administration interface is assigned. It is the only topology that can be assigned to the administration interface. The interface must be present at layer 3 to receive management related traffic such as ssh, https and RADIUS. This interface supports IPv4 and IPv6. raft Physical - A physical mode topology is intended to be used for management purposes. A physical topology can also be used to carry station traffic for a "3rd party VNS", a VNS that uses non-

Extreme Networks wireless APs. A physical topology can be assigned to any of the data plane ports on the controller. Routed - For this type of topology the controller acts as a router between the topology's VLAN and the rest of the network. The controller's data plane ports can be assigned to this type of topology. Bridged Traffic Locally at EWC - For this type of topology the controller bridges traffic for the station through its interfaces, rather than routing the traffic. For this type of topology the station's

"point of presence" on the wired network is the data plane port assigned to the topology. Bridged Traffic Locally at AP - This type of topology is assigned to APs. For this type of topology the AP bridges traffic between its wired and wireless interfaces without involving the controller. The station's "point of presence" on the wired network for a bridged at AP topology is the AP's wired port. Note IPv6 is supported for Layer 2 bridging for both B@AC and B@AP topologies. Fabric Attach - The Fabric Attach topology type allows an AP to attach to a Shortest Path Bridging

(Fabric Connect) Network. The client component on the AP communicates directly with the server on an edge switch (or it can communicate with the server through a proxy) to allow the AP to request VLAN to I-SID (backbone Service Identier [IEEE 802.1 ah] mappings). The Fabric Attach ExtremeWireless V10.41.06 User Guide 262 Conguring Topologies topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. Dene the following parameters on the Topologies conguration page:

VLAN ID and associated L2 port L3 (IP) interface presence and the associated IP address and subnet range The rules for using DHCP (Dynamic Host Conguration Protocol) Enabling or disabling the use of the associated interface for management/control traffic Selection of an interface for AP registration Multicast lter denition Exception lter denition Related Links Conguring the Admin Port on page 263 Fabric Attach Topology on page 269 At most, one physical topology can be enabled for the multicast support for Routed VNS. This can be congured on the new physical port GUI. management plane of the controller. The controller has two types of Layer 2 ports:

Admin - which can only be used for management-related purposes. It is connected directly on the D Physical - which can be used for a variety of purposes, including bridging and routing as well as management. The physical ports are directly connected to the controller's data plane, although traffic received at physical ports may be sent up the exception path to the management plane. raft The Admin port is a physical ethernet port directly connected to the controller's management plane. It provides a dedicated connection to a secure management VLAN. The controller can use the Admin port to interact with RADIUS, SNMP (Simple Network Management Protocol),and Extreme Management Center servers. 1 From the top menu, click Controller. Conguring the Admin Port ExtremeWireless V10.41.06 User Guide 263 Conguring Topologies 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. aft Figure 72: Network Topologies ExtremeWireless V10.41.06 User Guide 264 Conguring Topologies 3 To change any of the associated Admin parameters, click on the Admin topology entry. The EEdit Topology dialog appears. D Figure 73: Edit Topology raft The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). In the Mask eld, type the appropriate subnet mask for the IP address (typically, 255.255.255.0). The Static IP Address species the address assigned by the administrator. 4 Under Core, the Admin port Name and Mode are not congurable. 5 Under Layer 3 - IPv4, the following settings are available:

The Gateway eld species the IP address of the default gateway for the Admin port. ExtremeWireless V10.41.06 User Guide 265 Conguring Topologies 6 Under Layer 3 - IPv6, the following settings are available:

The Static IPv6 Address eld species the address assigned by the administrator. The Static IPv6 Gateway eld species the IP address of the default gateway for the Admin port. The Prex Length eld species the length of the IPv6 prex. Maximum is 64 bits. The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). The Dynamic IP Address lists the current auto-generated IPv6 addresses assigned to the Admin port. Conguring a Basic Data Port Topology To congure a basic data port topology:

NNote IPv6 supports multiple addresses on the same port including auto-generated addresses such as a link-local address, or an address created by combining the Router Advertisement prex with the interface ID. Auto-generated addresses generated via the Router Advertisement prex are dynamic and their availability depends on the existence of the prex (or lack of) in the Router Advertisement. D 7 Click Refresh to refresh the list of Dynamic IP Addresses and click Save . Or, click Cancel to close the EEdit Topology dialog without saving any changes to the port conguration. raft ExtremeWireless V10.41.06 User Guide 266 Conguring Topologies 1 From the top menu, click VNS. Then, in the left pane, select Topologies. The TTopologies window displays. aft Figure 74: Conguring a Topology 2 Select the topology to edit or click New to create a new topology. For more information, see Conguring a Basic Topology on page 267. Conguring a Basic Topology To congure a basic topology:

1 From the top menu, click VNS. Then, in the left pane, select Topologies. The TTopologies window displays. ExtremeWireless V10.41.06 User Guide 267 2 Select the topology to edit or click New to create a new topology. Conguring Topologies Figure 75: Conguring a basic topology raft Physical VLAN identier (1 - 4094), with at least one layer 2 member port (no mu associated). Routed Routed topologies do not require Layer 2 conguration (controller internal VLAN identier from valid range 1- 4094), and Layer 3 conguration. See Layer 3 Conguration on page 272 for more information. conguration. Bridge Traffic at the AP VNSs do not require the denition of a corresponding IP address since all traffic for users in that VNS will be directly bridged by the Wireless AP at the local network point of attachment (VLAN at AP port). Bridge Traffic Locally at AP Requires Layer 2 conguration. Does not require Layer 3 3 On the General tab, enter a name for the topology in the Name eld. 4 Select a mode of operation from the Mode drop-down list. Choices are:

Bridge Traffic Locally at EWC Requires Layer 2 conguration. May optionally have Layer 3 conguration. Layer 3 conguration would be necessary if services (such as DHCP, captive portal, etc.) are required over the congured network segment, or if controller management operations are intended to be done through the congured interface. Fabric Attach The Fabric Attach topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. See Bridge Traffic Locally at AP. ExtremeWireless V10.41.06 User Guide 268 Conguring Topologies 5 Congure the Layer 2 VLAN Settings, depending on the previously selected Mode. For Physical, enter a VLAN identier (2 - 4094), with at least one layer 2 member port (no MU associated). For Bridge Traffic Locally at EWC, enter a VLAN identier (2- 4094) that is valid for your system and enter the port to which this VLAN is attached to, according to the networking deployment model pre-established during planning. For Bridge Traffic Locally at AP, enter a VLAN identier (1 - 4094), 4094 is reserved for Internal VLAN ID. For Fabric Attach, enter a VLAN identier (1 - 4094), 4094 is reserved for Internal VLAN ID and an I-SID (service identier). Specify whether the VLAN conguration is Tagged or Untagged. To eliminate ARP Request Broadcast on the Wireless network, select ARP Proxy. ARP Proxy applies to traffic for Bridge Traffic Locally at AP Topologies. ARP Proxy is congurable per topology. For Port, select the Physical (Ethernet) or LAG (Link Aggregation Group) data port. For more D information, see Viewing and Changing the L2 Ports Information on page 52. 7 Click Save to save your changes. 6 (Optional) Provide a netmask in the Mask eld for topologies that do not support Layer 3. This Layer 3 Conguration on page 272 Creating a Topology Group on page 270 Enabling Management Traffic on page 272 option makes it possible to add the Framed-IP-Netmask attribute to the client RADIUS accounting request packets when the topology does not support Layer 3. These steps are sufficient to create and save a topology. The following conguration options are optional and depend on the mode of the topology. raft The Fabric Attach topology type allows an AP to attach to a Shortest Path Bridging (Fabric Connect) Network. The client component on the AP communicates directly with the server on an edge switch (or it can communicate with the server through a proxy) to allow the AP to request VLAN to I-SID

(backbone Service Identier [IEEE 802.1 ah] mappings). The Fabric Attach topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. Fabric Attach Topology Related Links Note When Fabric Attach is congured, LLDP (Link Layer Discovery Protocol) is automatically enabled on all APs associated with the topology. The setting cannot be disabled by users. The switch requires that the VLAN/I-SID mapping is unique per port per switch, therefore only one AP per switch port is allowed. The exception is WDS (Wireless Distribution Service). When using WDS, only the root AP in the mesh has a Fabric Attach client. The root AP handles all VLAN/I-SID mapping for all APs in its mesh. ExtremeWireless V10.41.06 User Guide 269 Conguring Topologies The controller enforces the unique VLAN/I-SID requirement for each Fabric Attach topology. A single controller supports up to 94 VLAN/I-SID mappings. This is a limit of LLDP. APs connected to a Fabric-enabled switch automatically use the default management VLAN that is congured on the switch. Moving an AP from a Fabric-enabled switch to a non Fabric-enabled switch requires a factory default reset to connect to the new management VLAN. NNote In a mobility scenario that includes a local and foreign controller, make sure the Fabric Attach topology conguration is the same on each controller, ensuring that an AP that moves between controllers has the same set of topologies. Fabric Attach is supported on all AP39xx series access points. D raft Important In rare cases, an unstable AP image can cause the AP to revert to an image that does not support Fabric Attach topologies. Connectivity between the AP and controller is preserved because the conguration is preserved, but the Fabric Attach feature will not work until the AP v10.41 image is restored. Therefore, we recommend that you upgrade an AP running v10.31 twice, ensuring that both the current and previous images are v10.41. Figure 76: Fabric Attach for FA Clients Automated Network Services Creating a Topology Group A topology group is a list of topologies with a unique name and a VLAN ID of its own. A topology groups name must be unique across topology groups and topologies since it will be used anywhere the topology name can be used. All the topologies in a dened group have the same type. For example, if the topology group mode is Routed, it only contains Routed topologies. The maximum number of topology groups for all platforms is 32. ExtremeWireless V10.41.06 User Guide 270 Conguring Topologies From the top menu, click VNS. 1 2 In the left pane, click Topologies. 3 On the TTopologies tab, click New Group. D Figure 77: Topology Group raft 6 Under Layer 2, VLAN Setting, enter a VLAN ID (1-4094). 7 Under Topologies, only the topologies of the groups type are shown & eligible for inclusion. Select topologies to be members of the group. A topology group must contain at least 1 topology. 4 Under Core, enter a name for the topology group. 5 Under Mode, select a mode from the drop-down menu. Choices are Bridge Traffic Locally at EWC and Routed. 8 Click Save. Edit or Delete a Topology Group To modify or delete a topology group:

From the top menu, click VNS. 1 2 In the left pane, click Topologies and click on a topology group to edit or delete. (Do not select the check box.) 3 To edit the group, in the Topologies pane, click Edit. The Topology list is populated with available topologies. 4 Check topology boxes to add topologies to the group. Clear the check boxes to remove topologies from the group. 5 To delete the topology group that you have open, click the Delete button. When a topology group is deleted, only the group is deleted, not the topologies it contains. ExtremeWireless V10.41.06 User Guide 271 Conguring Topologies 6 Click Save. 7 You can also delete the topology group from the TTopologies tab. a From the top menu, click VNS. b From the left pane, click Topologies. c Select the check box for the topology group to delete and click Delete Selected. d Click Save. Enabling Management Traffic If management traffic is enabled for a VNS, it overrides the built-in exception lters that prohibit traffic on the controller data interfaces. For more information, see Policy Rules on page 288. Layer 3 Conguration This section describes conguring Layer 3 of the network topology. Layer 3 conguration includes dening IP addresses, DHCP options, Next Hop and OSPF (Open Shortest Path First) parameters, for Physical port, Routed, and Bridge Traffic Locally at EWC topologies. Not all topologies support Layer 3. From the top menu, click either Controller or VNS. Then, in the left pane, select Topologies. 1 2 Select the desired physical or Routed topology. If the Layer 3 parameters are not displayed, check To enable management traffic for a topology:

D 3 Select the Management Traffic check box. 4 Click Save. the Layer 3 check box. raft Note IPv6 is not supported in Layer 3 conguration. Related Links IP Address Conguration on page 272 DHCP Conguration on page 274 Dening a Next Hop Route and OSPF Advertisement on page 277 IP Address Conguration The L3 (IP) address denition is only required for Physical port and Routed topologies. For Bridge Traffic Locally at EWC topologies, L3 conguration is optional. L3 conguration would be necessary if services such as DHCP, captive portal, AP registration (with up to 4 topologies) are required over the congured network segment or if controller management operations are intended to be done through the congured interface. Bridge Traffic Locally at AP topologies can dene a Mask and do not require the denition of a corresponding IP address since all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment (VLAN at AP port). ExtremeWireless V10.41.06 User Guide 272 Conguring Topologies To dene the IP address for the topology:

From the top menu, click Controller> Topologies, or VNS > Topologies. 1 2 Click New to create a new topology or select the topology you want to dene the IP address for. The TTopologies window is displayed. Depending on the preselected options, two or three tabs are displayed. 3 For IP interface conguration for Routed topologies, congure the following Layer 3 parameters. Figure 78: Conguring IP Address for Routed Topology raft default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to MUs (in the VNS) as the default gateway for the VNS subnet. (MUs target the controller's interface in their effort to route packets to an external host.) Note The Gateway eld only supports IPv4 addresses. network portion from the host portion of the address (typically, 255.255.255.0). a In the Gateway eld, type the controller's own IP address in that VNS. This IP address is the b In the Mask eld, type the appropriate subnet mask for the IP address. This separates the c If desired, enable Management traffic. 4 For IP interface conguration for Bridge Traffic Locally at EWC Topologies, congure the following Layer 3 parameters. ExtremeWireless V10.41.06 User Guide 273 Conguring Topologies D 1 Figure 79: IP Address for Bridged Traffic Locally In the Interface IP eld, type the IP address that corresponds to the controller's own point of presence on the VLAN. In this case, the controller's interface is typically not the gateway for the subnet. The gateway for the subnet is the infrastructure router dened to handle the VLAN. raft 3 Congure Strict Subnet Adherence. 4 If desired, congure AP Registration. If selected, wireless APs can use this port for discovery and 2 In the Mask eld, type the appropriate subnet mask for the IP address. This separates the network portion from the host portion of the address (typically, 255.255.255.0). Enabling Management Traffic on page 272 5 If desired, enable Management traffic. registration. RRelated Links DHCP Conguration You can congure DHCP settings for all modes except Bridge Traffic Locally at AP mode since all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment (VLAN at AP port). DHCP assignment is disabled by default for Bridged to VLAN mode. However, you can enable DHCP server/relay functionality to have the controller service the IP addresses for the VLAN

(and wireless users). ExtremeWireless V10.41.06 User Guide 274 Conguring Topologies To congure DHCP options:

1 Click VNS > Topologies > General and enable Layer 3. 2 From the DHCP drop-down list, select one of the following options and click Congure. Local Server if the controller's local DHCP server is used for managing IP address allocation. Use Relay if the controller forwards DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. 3 If you selected Local Server, the following window displays. Congure the following parameters:

D In the Domain Name box, type the external enterprise domain name server to be used. 1 2 In the Lease default box, type the default time limit. The default time limit dictates how long a wireless device can keep the DHCP server assigned IP address. The default value is 36000 seconds (10 hours). raft 5 Check the Enable DLS DHCP Option check box if you expect optiPoint WL2 wireless phone traffic on the VNS. DLS is a Siemens application that provides conguration management and software deployment and licensing for optiPoint WL2 phones. 6 In the Gateway eld, type the controllers own IP address in that topology. This IP address is the default gateway for the topology. The controller advertises this address to the wireless devices when they sign on. For routed topologies, it corresponds to the IP address that is communicated to wireless clients as the default gateway for the subnet. (wireless clients target the controller's interface in their effort to route packets to an external host). 3 In the DNS Servers box, type the IP Address of the Domain Name Servers to be used. 4 In the WINS box, type the IP address if the DHCP server uses Windows Internet Naming Service

(WINS). For a Bridge traffic locally at the EWC topology, the IP address corresponds to the controller's own point of presence on the VLAN. In this case, the controller's interface is typically not the gateway for the subnet. The gateway for the subnet is the infrastructure router dened to handle the VLAN. 7 The Address Range boxes (from and to) populate automatically with the range of IP addresses to be assigned to wireless devices using this VNS, based on the IP address you provided. To modify the address in the Address Range from box, type the rst available address. ExtremeWireless V10.41.06 User Guide 2275 Conguring Topologies To modify the address in the Address Range to box, type the last available address. If there are specic IP addresses to be excluded from this range, click Exclusion(s). The DHCP Address Exclusion dialog is displayed. D In the DHCP Address Exclusion dialog, do one of the following:

Figure 81: DHCP Address Exclusion To specify an IP range, type the rst available address in the From box and type the last available address in the to box. Click Add for each IP range you provide. To specify an IP address, select the Single Address option and type the IP address in the box. raft 1 The Broadcast Address box populates automatically based on the Gateway IP address and subnet mask of the VNS. Click Add for each IP address you provide. To save your changes, click OK. 2 Click Close. Figure 80: DHCP Conguration 4 If you selected Use Relay, a DDHCP window displays. a in the DHCP Servers box, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server. Note The DHCP Server must be congured to match the topology settings. In particular for Routed topologies, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream. 5 To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 276 Conguring Topologies Dening a Next Hop Route and OSPF Advertisement The next hop denition allows the administrator to dene a specic host as the target for all non-VNS targeted traffic for users in a VNS. The next hop IP identies the target device to which all VNS (user traffic) will be forwarded to. Next-hop denition supersedes any other possible denition in the routing table. If the traffic destination from a wireless device on a VNS is outside of the VNS, it is forwarded to the next hop IP address, where this router applies role and forwards the traffic. This feature applies to unicast traffic only. In addition, you can also modify the OSPF route cost. dene a next-hop route. 3 In the Layer 3 area, click the Congure button. The DHCP conguration dialog displays. OSPF is an interior gateway routing protocol developed for IP networks based on the shortest path rst or link-state algorithm. Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately distributes the information to all other hosts in the network so that all will have the same routing table information. The host using OSPF sends only the part that has changed, and only when a change has taken place. D 1 2 In the left pane, expand the Topologies pane, then click the Routed topology for which you want to To dene a Next Hop Route and OSPF Advertisement:

From the top menu, click VNS. raft Figure 82: DHCP conguration 4 In the Next Hop Address box, type the IP address of the next hop router on the network through which you wish all traffic on the VNS using this Topology to be directed. ExtremeWireless V10.41.06 User Guide 277 Conguring Topologies 5 In the OSPF Route Cost box, type the OSPF cost of reaching the VNS subnet. The OSPF cost value provides a relative cost indication to allow upstream routers to calculate whether or not to use the controller as a better t or lowest cost path to reach devices in a particular network. The higher the cost, the less likely of the possibility that the controller will be chosen as a route for traffic, unless that controller is the only possible route for that traffic. 6 To disable OSPF advertisement on this VNS, select the Disable OSPF Advertisement check box. 7 Click Close. 8 Click Save. Exception Filtering The exception lter provides a set of rules aimed at restricting the type of traffic that is delivered to the controller. By default, your system is shipped with a set of restrictive lter rules that help control access through the interfaces to only those services that are absolutely necessary. D By conguring to allow management on an interface, an additional set of rules is added to the shipped lter rules that provide access to the system's management conguration framework (SSH, HTTPS, SNMP Agent). Most of this functionality is handled directly behind the scenes by the system, rolling and unrolling canned lters as the system's topology and dened access privileges for an interface change. Note An interface for which Allow Management is enabled can be reached by any other interface. By default, Allow Management is disabled and shipped interface lters will only permit the interface to be visible directly from its own subnet. raft The visible exception lter denitions, both in physical ports and topology denitions, allow administrators to dene a set of rules to be added to the system's dynamically updated exception lter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined. Therefore, these user-dened rules are evaluated before the systems own generated rules. As such, these user-dened rules may inadvertently create security lapses in the system's protection mechanism or create a scenario that lters out packets that are required by the system. Note Use exception lters only if absolutely necessary. It is recommended that you avoid dening general allow all or deny all rule denitions since those denitions can easily be too liberal or too restrictive to all types of traffic. The exception rules are evaluated in the context of referring to the specic controller's interface. The destination address for the role rule denition is typically dened as the interface's own IP address. The port number for the lter denition corresponds to the target (destination) port number for the applicable service running on the controller's management plane. The exception lter on an topology applies only to the packets directed to the controller and can be applied to the destination portion of the packet, or to the source portion of the packet when ltering is enabled. Traffic to a specied IP address and IP port is either allowed or denied. Adding exception lter rules allows network administrators to either tighten or relax the built-in ltering that automatically drops packets not specically allowed by role rule denitions. The exception lter rules can deny access in the event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied. Typically, Allow Management is enabled. ExtremeWireless V10.41.06 User Guide 278 Conguring Topologies From the top menu, click VNS. To dene exception lters:

1 2 In the left pane, select Topologies. 3 On the Topologies page, click the EException Filters tab. The EExceptions Filter page displays. t Figure 83: Topology Exception Filters 4 Select an existing topology from the right-hand pane to edit an existing topology, or click New to create a new topology. The TTopologies conguration page displays. The EException Filters tab is available only if Layer 3 (L3) conguration is enabled. 5 Click the EException Filters tab to display the EException Filters page. ExtremeWireless V10.41.06 User Guide 279 Conguring Topologies Table 42: Exception Filters page - Fields and Buttons FField/Button Description D IP:Port Allow Rule In Protocol Up, Down Add Delete Add Predened Save Advanced Mode Add Filter section IP/subnet:port Protocol Identies the type of role rule. Options are:

D - Default rule I - Internal (read-only) T - Local interface rule U - user-dened rule Identies the rule that applies to traffic from the network host or wireless device that is trying to get to a controller. You can change this setting using the drop-down menu. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only Click to remove this role rule. Identies the IP address and port to which this role rule applies. Click to add a role rule. The elds in the Add Filter area are enabled. Select the Allow check box to allow this rule. Otherwise the rule is denied. Select a role rule and click to either move the rule up or down in the list. The lter rules are executed in the order in which you dene them here In the Protocol drop-down list, click the applicable protocol. The default is N/A. raft Advanced ltering mode provides the ability to create bidirectional lters. If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running V7.41 or greater. Note: After enabling advanced ltering mode, you can no longer use NMS Wireless Manager V4.0 to manage the controllers roles and you cannot switch back to basic lter mode unless you return the controller to its default state. Select a predened role rule. Click Add to add the rule to the rule table, otherwise click Cancel Click to save the conguration. Type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address In the Protocol drop-down list, click the applicable protocol. The default is N/A. ExtremeWireless V10.41.06 User Guide 280 Conguring Topologies Table 42: Exception Filters page - Fields and Buttons (continued) FField/Button Description In Filter In the drop-down menu, select an option that refers to traffic from the network host that is trying to get to a wireless device. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only By default, user-dened rules are enabled on ingress (In), and are assumed to be Allow rules. To disable the rule in either direction, or to make it a Deny rule, click the new lter, then de-select the relevant check box. Multicast Filtering OK Cancel Click to add the role rule to the lter group. The information displays in the role rule table. D Click Cancel to discard your changes.DDNote A mechanism that supports multicast traffic can be enabled as part of a topology denition. This mechanism is provided to support the demands of VoIP and IPTV network traffic, while still providing the network access control. For External Captive Portal, you need to add an external server to a non-authentication lter. raft Note To use the mobility feature with this topology, you must select the Enable Multicast Support check box for the data port. Note Before enabling multicast lters and depending on the topology, you may need to dene which physical interface to use for multicast relay. Dene the multicast port on the IP Addresses tab. For more information, see Setting Up the Data Ports on page 51. Dene a list of multicast groups whose traffic is allowed to be forwarded to and from the VNS using this topology. The default behavior is to drop the packets. For each group dened, you can enable Multicast Replication by group. To enable Multicast for a topology:

1 On the Topologies page, click the Multicast Filters tab. ExtremeWireless V10.41.06 User Guide 281 Conguring Topologies aftFigure 84: Topology Multicast Filters IP Group Type the IP address range. Dened groups Click from the drop-down list. 2 To enable the multicast function, select Multicast bridging. 3 Dene the multicast groups by selecting one of the radio buttons:

NNote IPv6 traffic is supported for B@AC and B@AP topologies. 4 To enable the wireless multicast replication for this group, select the corresponding Wireless Replication check box. Wireless Replication lters multicast traffic being sent back to the wireless AP channel or wired network. Note Wireless replication takes effect only when Multicast Address is allowed. 5 Click Add. The group is added to the list above. ExtremeWireless V10.41.06 User Guide 282 Conguring Topologies 6 To modify the priority of the multicast groups, click the group row, and then click the Up or Down buttons. A Deny All rule is automatically added as the last rule, IP = *.*.*.* and the Wireless Replication check box is not selected. This rule ensures that all other traffic is dropped. 7 To save your changes, click Save. NNote The multicast packet size should not exceed 1450 bytes. D raft ExtremeWireless V10.41.06 User Guide 283 6 Conguring Roles RRoles Overview Conguring Default VLAN and Class of Service for a Role Policy Rules Roles Overview A role can contain any number of services in Policy Manager. A role is a set of network access services that can be applied at various points in a policy-enabled network. A port takes on a user's role when the user authenticates. Roles are usually named for a type of user such as Student or Engineering. Often, role names will match the naming conventions that already exist in the organization. The role name should match lter ID values set up on the RADIUS servers. D A VNS can have up to two roles assigned to it. The default non-authenticated role will be used while the station is not authenticated but able to access the network. The default authenticated role will be assigned to a station if it completes authentication successfully but the authentication process did not explicitly assign a role to the station. A role may also contain default access control (VLAN (Virtual LAN)) and/or Class of Service (priority) characteristics that will be applied to traffic not identied specically by the set of access services contained in the role. The set of services included in a role, along with any access control or class of service defaults, determine how all network traffic will be handled at any network point congured to use that role. raft Default Global Role denitions provide a placeholder for completion of incomplete roles for initial default assignment. If a role is dened as Default for a particular VNS, the role inherits incomplete attributes from Default Global Role denitions. Roles don't need to be fully specied; unspecied attributes are retained by the user or inherited from Global Role denitions (see Conguring the Global Default Policy on page 408 for more information). Conguring Default VLAN and Class of Service for a Role From the VLAN & Class of Service tab you can assign a previously congured topology to a role. You can also launch the Topology Conguration page to edit an existing topology or create a new one. For ExtremeWireless V10.41.06 User Guide 284 Conguring Roles information about how to congure a topology, refer to Conguring a Basic Data Port Topology on page 266. NNote The Conguration Manager (CM) checks overall conguration as conguration is entered. If CM detects mixed B@AC and B@AP rules in the same role, and the role has L7 lter rules, then the conguration is rejected. For more information, see Conguration Rules with L7 Filters on page 307. In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to the role is permitted. The CoS denes actions to be taken when rate limits are exceeded. 1 From the top menu, click VNS. To congure VLAN and Class of Service for a role:

D raft ExtremeWireless V10.41.06 User Guide 285 Conguring Roles 2 In the left pane expand the Roles pane and click the role you want to edit, or click New to create a new role. ft Figure 85: VLAN & Class of Service Tab 3 Select Policy Rules to congure the policy rules for the Role. For more information, see Conguring Policy Rules on page 298. Table 43: VLAN & Class of Service Tab - Fields and Buttons FField/Button Description Core Role Name Default Action Enter a name to assign to this role. ExtremeWireless V10.41.06 User Guide 286 Conguring Roles Table 43: VLAN & Class of Service Tab - Fields and Buttons (continued) FField/Button Description Select from one of the following:

None - No role dened No change - Default setting Allow - Packets contained to role's default action's VLAN/

Deny - Any packet not matching a rule in the Role is dropped. Containment VLAN - Any packet not matching a rule is sent to topology. dened VLAN. D Default Class of Service Note: VLAN is only visible when the user selects "Contain to VLAN" as the default access control action. Select an existing Topology, Topology Group, or click New to create a new Topology. To edit an existing Topology, select the VLAN and then click Edit. The Edit Topology page displays. For more information, see Conguring a Basic Topology on page 267. Select an existing class of service from the Default Class of Service drop-down list, or click New to create a new topology. To edit an existing class of service, select the class of service and then click Edit. The Edit Class of Service page displays. For more information, see Conguring Classes of Service on page 487. raft When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis. You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/

MirrorN Conguration. Valid values for Filter Rule and Role are:

None - No traffic mirroring Enable - Traffic mirroring enabled. Traffic is copied if the lter rule Prohibited - Traffic mirroring is prohibited for this role. Traffic is not copied when the lter rule matches or the role is applied. matches or the role is applied. HTTP Redirection appears when the following conditions are present:

Rule-based Redirection is enabled on the VNS > Global > Filtering Mode screen. A lter exits with Access Control = HTTP Redirect.

(See Understanding the Filter Rule Denition Dialog on page 302.) Access Control VLAN Traffic Mirror HTTP Redirection ExtremeWireless V10.41.06 User Guide 287 Conguring Roles Table 43: VLAN & Class of Service Tab - Fields and Buttons (continued) FField/Button Description Select from one of the previously congured redirection URLs or click New to create a new redirection URL. For more information about setting up a redirection URL, see Managing Redirection URLs on page 421. WLAN (Wireless Local Area Network) Services with Captive Portals are included in this list. The default value for the redirection URL is Own WLAN, which indicates the current WLAN. This is identical to the current redirection behaviour. Redirection URL:

Status Synchronize Enable automatic synchronization with its availability peer. For more information about viewing synchronization status, see Using the Sync Summary on page 414. If this VNS is part of an availability pair, Extreme Networks recommends that you enable Synchronize. By default the WLAN Service is enabled. Clear this check box to disable the WLAN Service. D Advanced Button Static Egress Untagged VLANs For more information about rate control proles, see Working with Bandwidth Control Proles on page 407. Lists those VLANs (for multicast, broadcast, unicast) that a station assigned to a role receives from, even if it hasnt sent on it. Choose a VLAN as follows:

Click a VLAN from the list of available VLANs to use Click >> to move the VLAN to the active list of VLANs used Click OK to permit static conguration of egress untagged VLANs. raft You can dene policy rules for a role to specify network access settings for a specic user role. Network policies are a set of rules, dened in a specic order, that determine how connections are authorized or denied. If you do not dene policy rules for a role, the role's default action is applied to all traffic subject to that role. However, if you require user-specic lter denitions, then the lter ID conguration identies the specic role that is applied to the user. ExtremeWireless supports IPv6 prexes specied in policy lter rules. With a few considerations:

You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . Policy Rules Application visibility rules are ignored for http[s] ows over IPv6. Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 ExtremeWireless V10.41.06 User Guide 288 Conguring Roles Matching Policy Rules Criteria The following criteria apply when trying to match rules. Many of these criteria accept a range of addresses or codes not just a single address or code. A policy rule consists of:

Match criteria An optional access control action (allow, deny) An optional class of service assignment D Policy rules can match on:

Source MAC address Destination MAC address IPv4 or IPv6 Source IP address IPv4 or IPv6 Destination IP address Source layer 4 port Destination layer 4 port IPv4 or IPv6 Source socket (IP address + port) IPv4 or IPv6 Destination socket (IP address + port) IP type ICMP (Internet Control Message Protocol) packet type and code ToS/DSCP marking 802.1p priority Ethertype raft Policy rule access control actions can be:

Allow Forward matching frames on the WLAN Service's default topology. Deny Drop matching frames. Contain to VLAN Forward matching frames on the indicated VLAN. None The rule does not have an access control action. The matching engines ignore a rule with an HTTP Redirect Redirect traffic to default URL 'Own WLAN' or to a URL that is dened on the Redirection URL screen. For more information, see Managing Redirection URLs on page 421. You can also specify a Redirection URL when you congure an External Captive Portal. For more information, see Conguring Firewall Friendly External Captive Portal on page 353. access control action of 'None'. Rule-Based Redirection You can now congure policy rules to explicitly redirect traffic to the captive portal denition assigned to the role, regardless of authentication status. Rule-based Redirection applies to HTTP and HTTPS traffic, and explicitly denes when traffic will be redirected. In previous releases, redirection automatically redirected an un-authenticated client to an ECP when a deny action, on HTTP(S) traffic, occurred. Rule-based redirection requires explicit enablement. For new installations, Rule-based Redirection is enabled by default. For upgrades from releases prior to v10.11, ExtremeWireless preserves the previous ExtremeWireless V10.41.06 User Guide 289 Conguring Roles captive portal redirection method of triggering redirect off denied HTTP/HTTPS for non-

authenticaticated roles. To enable Rule-based Redirection upon an upgrade, go to VNS > Global > Filtering Mode. D Figure 86: Enabling Rule-based Redirection To use Rule-based Redirection:

Verify that the feature is enabled. Congure roles with policy rules for redirection. Add the Redirect rules to the (non-auth) role denition; otherwise, the Deny All default action is interpreted explicitly, and traffic will be denied not redirected. raft Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. Congure a list of redirection URLs. Specify the redirection URL on the Role VVLAN & Class of Service tab. This value can be an IP

(Optional) And if redirecting to an ECP, congure the captive portal for redirected traffic. address, URL, or host name if using L7 host name rules. ExtremeWireless V10.41.06 User Guide 290 Conguring Roles RRelated Links D Figure 87: Example Role with Redirection specied. Understanding the Filter Rule Denition Dialog on page 302 Host Name DNS Support on page 312 Managing Redirection URLs on page 421 Conguring Firewall Friendly External Captive Portal on page 353 Conguring External and Mode 802.1 Captive Portal on page 351 Conguring Default VLAN and Class of Service for a Role on page 284 raft Deciding how to congure HTTP Redirection depends on the type of traffic you are allowing and the default Access Control value you congure on the role. You must congure the policy rules in the following order:

Allow policies Redirect policies (if using Rule-based Redirection) Deny policies. Allow Policies Conguring Rule-Based Redirection You can congure ve Allow policies or any combination of Allow and Deny policies on a single role. The following are ways to implement policy rules:

Allow All Policy. If you opt to allow all traffic. You only need one policy rule indicating that all traffic is allowed. ExtremeWireless V10.41.06 User Guide 291 Conguring Roles D Figure 88: Allow All Policy Conguration Combination of Allow and Deny policies, allowing specic traffic. raf Figure 89: Policy Rules Conguration Deny All Policy. When opting to deny all traffic, you must rst congure the 5 Allow policies to gather the parameters that direct the client to the FFECP. First congure the specic Allow policies, then congure the Deny All policy. ExtremeWireless V10.41.06 User Guide 2292 Conguring Roles D Redirect Policy Figure 90: Deny All Policy Conguration raft If Rule-based Redirection is enabled, congure at least one policy rule where the Access Control is set to HTTP Redirect. If Rule-based Redirection is disabled, congure at least one policy rule where the Access Control is set to Deny. For more information on conguring policy rules, including host name rules, see Understanding the Filter Rule Denition Dialog on page 302 and Conguring a Host Name Rule on page 312. Conguring Rule-Based Redirection on page 291 Understanding the Filter Rule Denition Dialog on page 302 Rule-Based Redirection on page 289 Host Name DNS Support on page 312 Conguring a Captive Portal on an AP on page 222 RRelated Links Rule Based Redirection to a Captive Portal Redirecting to a captive portal is a common rule-based redirection use case. The following is an example Allow conguration for rule-based redirection to a captive portal. The role allows the station to use DHCP (Dynamic Host Conguration Protocol) and DNS:

Access Control = Allow, Port = DNS Access Control = Allow, Port = DHCP Client. ExtremeWireless V10.41.06 User Guide 293 Conguring Roles Access Control = Allow, Port = DHCP Server. The role allows the station to communicate with the external captive portal server using HTTP or HTTPS. Access Control = Allow, IP/subnet = IP of Captive Portal Server Then specify the Captive Portal Server on the VVLAN Class of Service tab in the Redirection URL eld. The Redirection URL can be provided as a URL, IP address, or host name if using L7 Host Name DNS support. Policy Rules for a Non-authenticated Role The role must allow the station to send traffic to the controllers IP address on the VLAN containing the stations traffic; therefore, one Allow policy must include the IP/subnet that corresponds to the VLAN ID. Depending on the Default Access Control value on the role, this can be the VLAN ID specied on the role or the VLAN ID specied during WLAN Service conguration. When default Access Control = Allow, VLAN ID on the WLAN Service conguration is used. When default Access Control = Contain to VLAN, the VLAN ID on the Role conguration is used. D Access Control = Allow, IP/subnet = Congured VLAN subnet.DNote You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . A VNS' non-authenticated role controls the access of stations until the station completes authentication. The role can be as restrictive or open as necessary. If the station is expected to authenticate, then the role may need to grant it access to resources required to complete the authentication. For example, if the station is expected to perform captive portal authentication then the non-authenticated role must allow the station to:

Perform DHCP address acquisition DNS name lookups Forward to the Captive Portal web server raft Dening non-authenticated roles allows administrators to identify destinations that a mobile user is allowed to access without incurring an authentication redirection. Typically, the recommended default rule is Deny All. However, administrators should dene a rule set that permits users to access essential services:

DNS (IP of DNS server) Default Gateway (VNS Interface IP) The administrator may grant unauthenticated stations access to other resources, but the recommended default action of a non-authenticated role is to drop all traffic that does not match a rule. Any HTTP streams requested by the client for denied targets is redirected to the specied location. The non-authenticated role should allow access to the Captive Portal page IP address, as well as to any URLs for the header and footer of the Captive Portal page. This lter should also allow network access to the IP address of the DNS server and to the network addressthe gateway of the Topology. The ExtremeWireless V10.41.06 User Guide 294 Conguring Roles gateway is used as the IP for an internal Captive Portal page. An external Captive Portal provides a specic IP denition of a server outside the wireless network. Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach websites other than those specically allowed in the non-authenticated lter is redirected to the allowed destinations. Most HTTP traffic outside of that dened in the non-authenticated lter is redirected. NNote Although non-authenticated role denitions are used to assist in the redirection of HTTP traffic for restricted or denied destinations, the non-authenticated lter is not restricted to HTTP operations. The lter denition is general. Any traffic, other than HTTP, that the lter does not explicitly allow is discarded by the controller. The non-authenticated lter is applied to sessions until they successfully complete authentication. The authentication procedure results in an adjustment to the user's applicable Policy Rule for the access role. D Typically, default lter ID access is less restrictive than a non-authenticated prole. It is the administrators responsibility to dene the correct set of access privileges. Note Administrators must ensure that the non-authenticated lter allows access to the corresponding authentication server:

Internal Captive Portal IP address of the VNS interface External Captive Portal IP address of external Captive Portal server raft IP address of the captive portal Allow all incoming wireless devices access to the default gateway of the VNS. Description Table 44 lists the rules that a basic non-authenticated role for internal Captive Portal should have, in the specied order:

Table 44: Non-authenticated Role Example A In IP / Port Allow Out IP address of the DNS Server Allow all incoming wireless devices access to the DNS server of the VNS. x x x x x x x x

*.*.*.*. Default access control action is to deny all. Non-authenticated Role Examples Note For external Captive Portal, an additional rule to Allow (in/out) access to the external Captive Portal authentication/web server is required. If you place URLs in the header and footer of the Captive Portal page, you must explicitly allow access to any URLs mentioned in the authentication servers page, such as:

ExtremeWireless V10.41.06 User Guide 295 Conguring Roles Internal Captive Portal URLs referenced in a header or footer External Captive Portal URLs mentioned in the page denition Table 45 is another example of a non-authenticated lter that adds additional policy rules. The additional rules do the following:

Deny access to a specic IP address. Allow only HTTP traffic. Table 45: Non-authenticated Role Example B IIn IP / Port Allow Out Description x x x IP address of the default gateway Allow all incoming wireless devices access to the default gateway of the VNS. Allow all incoming wireless devices access to the DNS server of the VNS. x x x x IP address of the DNS Server D

[a specic IP address, or address plus range]

*.*.*.*:80 x x x x x x Once a wireless device user has logged in on the Captive Portal page and has been authenticated by the RADIUS server, then the following rules apply:

Role lters If a lter ID associated with this user is returned by the authentication server, then the Role with the same name as the lter ID will be applied. Default lter If no matching lter ID is returned from the authentication server. Deny all traffic to a specic IP address, or to a specic IP address range (such as:0/24).

*.*.*.*. Allow all port 80 (HTTP) traffic. Default access control action is to deny all. raft SSH sessions 192.168.18.0/24 Description

*.*.*.*:22-23 Deny all traffic to a specic IP address or address range Here are examples of possible policy rules for authenticated users. Table 46 disallows some specic access before allowing everything else. Table 46: Policy Rules Example A In IP / Port Allow Out Authenticated Rules Examples x

*.*.*.*. Default action is to allow everything else x x x x x x Table 47 allows some specic access and denies everything else. ExtremeWireless V10.41.06 User Guide 296 Table 47: Policy Rules Example B IIn IP / Port Allow Out x 192.168.18.0/24 x x x x

*.*.*.*. Default action is to deny all. Conguring Roles Description Allow traffic to a specic IP address or address range. Policy Rules for a Default Role After authentication of the wireless device user, the default lter applies only after the following conditions are met:

No lter ID attribute value is returned by the authentication server for this user. No Role match is found on the controller for the lter ID value. D The nal rule in the default lter should be a catch-all rule for any traffic that did not match a lter. A nal 'Allow All' rule in a default lter ensures that a packet is not dropped entirely if no match is found. VNS Role is also applicable for Captive Portal and MAC-based authorization. Default Role Examples The following are examples of policy rules for a default lter:

Table 48: Default Role Examples In IP / Port Allow Out Description 192.168.18.0/24 raft Default access control action is to allow or contain to VLAN Deny all incoming wireless devices access to Web browsing the host Deny all traffic from the network to the wireless devices on the port range, such as FTP (port 21) Allow all other traffic from the wireless devices to the Intranet network Deny all access to Web browsing Deny all access to a specic IP Deny all access to an IP range Port 80 (HTTP) on host IP 10.3.0.20, ports 10-30 Port 80 (HTTP) 192.168.18.10 10.3.0.20

*.*.*.*. 10.3.0.20

*.*.*.*. Allow all other traffic from Intranet network to wireless devices Default action is to deny/drop x x x x x x x x x x x x x x x x x Policy Rules Between Two Wireless Devices Traffic from two wireless devices that are on the same VNS and that are connected to the same AP will pass through the controller and therefore be subject to a ltering role. You can set up policy rules that ExtremeWireless V10.41.06 User Guide 297 Conguring Roles allow each wireless device access to the default gateway, but also prevent each device from communicating with each other. Add the following two rules to a lter, before allowing everything else:

Table 49: Rules Between Two Wireless Devices IIn IP / Port Description Allow Out x x x x x x x x 10.3.2.25 Allow access to the Gateway IP address of the VNS only 10.3.5.28.0/24 Deny all access to the VNS subnet range (such as 0/24)

*.*.*.*. Default access control action is contain to VLAN. Note You can also prevent the two wireless devices from communicating with each other by setting Block Mu to MU traffic. See Conguring a Basic WLAN Service on page 319. D Dening Policy Rules for Wireless APs topology, the ltering is applied to traffic in both the inbound and outbound direction, the inbound direction is from the wireless device to the network, and the outbound direction is from the network to the wireless device. You can also apply policy rules on the wireless AP. Applying policy rules at the AP helps restrict unwanted traffic at the edge of your network. All APs support 64 rules. Filtering at the AP can be congured with the following Topology types:

Bridge Traffic Locally at the AP If ltering at the AP is enabled on a Bridge Traffic Locally at the AP raft Routed and Bridge Traffic Locally at the EWC If ltering at the AP is enabled on a Routed or Bridge Traffic Locally at the EWC topology, the ltering is applied only to traffic in the inbound direction. The lters applied in the outbound direction at the AP can be the same as or different from lters applied at the controller. A role can use more than one topology and more than one type of topology. If a role uses at least one Bridged at AP topology, the AP lters all inbound traffic assigned to the rule. The controller performs all outbound ltering. From the PPolicy Rules tab, create and work with the policy rules for a role. If you do not dene policy rules for a role, then the role's default action is applied to all traffic subject to the role. Conguring Policy Rules To congure policy rules:

1 Navigate to the PPolicy Rules tab. (Click VNS > Roles > Policy Rules.) By default, the RRules tab appears, displaying a list of Policy Rules for the Role. ExtremeWireless V10.41.06 User Guide 298 Conguring Roles 2 You can take the following actions:

Add Edit Delete Up Down Top Bottom For information about adding or editing a rule, see Understanding the Filter Rule Denition Dialog on page 302. RRelated Links The PPolicy Rules tab displays the authentication policy rules for a user role. If you do not dene policy rules for a role, then the role's default action is applied to all traffic subject to the role. Understanding the Policy Rules Tab Conguring a Captive Portal on an AP on page 222 Rule-Based Redirection on page 289 D r Figure 91: Policy Rules Tab ExtremeWireless V10.41.06 User Guide 299 Conguring Roles Table 50: Policy Rules Tab - Fields and Buttons FField/Button Description Inherit policy rules from currently applied role Allow action in policy rules contains to the VLAN assigned by the role Select if you do not want to apply new lter settings. If you do not apply new lter settings, the wireless client uses lter settings from a previously applied role. If rules were never dened, then the system enforces the rules from the Global Default Policy. If you choose to apply new lter settings by not selecting this option, the new lter settings will overwrite any pre-existing lter settings. Note: This option only appears on roles that have been upgraded to 8.31 or later from a previous release and on new roles that have custom AP ltering enabled. AP Filtering Custom AP Rules Rules/Custom AP rules Tab D Select to apply the congured rules to the AP. Select to create a new lter denition to apply to the AP. The ag is provided for backward compatibility. The administrator can achieve the same effect by modifying each rule with an "Allow" action to "Contain to VLAN" where the containment VLAN is the one referenced by the role's default access control action. When enabled, the "Allow" action forwards the packet on the VLAN of the assigned topology of the containing policy. If the policy does not have a default topology, a series of decision rules are applied to decide which topology the packet was forwarded on. When disabled, the "Allow" action in policy rules is interpreted as

"contain to PVID". raft Identies the rule that applies to traffic from the wireless device that is trying to get on the network. You can change this setting using the drop-down menu. Options include:

Source (src) None Both - available in Advanced Filtering Mode only Indicates if the rule has QoS enabled. Policy-enabled QoS is a network service that provides the ability to prioritize different types of traffic and to manage bandwidth over a network. Displays the IP address and port to which this policy rule applies. Displays the applicable protocol. Identies the access control. Action Name Protocol QoS In Out Identies which IPv4 address eld is matched by the rule when applied in the outbound direction (toward the wireless device.) You can change this setting using the drop-down menu. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic may be impacted by the selection

(mode) for Egress Filtering. For more information, see Conguring Egress Filtering Mode on page 410. ExtremeWireless V10.41.06 User Guide 300 Conguring Roles Table 50: Policy Rules Tab - Fields and Buttons (continued) FField/Button Description Add Edit Delete Up, Down, Top, Bottom Click to add a new rule. The FFilter Rule Denition dialog displays. See Understanding the Filter Rule Denition Dialog on page 302. Click to edit the selected denition. See Understanding the Filter Rule Denition Dialog on page 302. Click to delete the rule. Select a rule and click to either move the rule up or down in the list, or move the rule to the top of the list. The policy rules are executed in the order in which you dene them. Save Click to save the conguration. Custom AP Rules D In general, an AP that performs ltering should apply the same set of policy rules for a role as the controller. However, this is not mandatory. An AP can enforce a different set of rules than the controller. In general, avoid using Custom AP lters. Custom AP lters are provided primarily for backward compatibility. For example, they are useful when using policies that have more than 32 rules. There are restrictions on a role that uses custom AP ltering, including the following:

Custom Rules option is not visible when L7 lter rules are present. The role cannot use Layer 2 lter rules. The role cannot use 'Contain to VLAN' actions in rules. The role's default action must be 'Contain to VLAN' or 'No Change'. The role's static untagged egress VLAN list must be empty. raft Creating a Custom AP Filter on page 301 Understanding the Filter Rule Denition Dialog on page 302 1 Click VNS > Roles > Policy Rules and select the AP Filtering check box. To create a custom AP lter:

Creating a Custom AP Filter Related Links Note The AP Filtering option is not available when L7 lters are present. For more information, see Conguration Rules with L7 Filters on page 307. The Custom AP Rules check box appears. 2 Select the Custom AP Rules check box. The CCustom AP Rules tab appears. 3 Click the CCustom AP Rules tab. ExtremeWireless V10.41.06 User Guide 301 Conguring Roles 4 You can take the following actions:

Add Edit Delete Up Down Top Bottom For information about adding or editing a rule, see Understanding the Filter Rule Denition Dialog on page 302. RRelated Links Custom AP Rules on page 301 D Understanding the Filter Rule Denition Dialog Dene lter rules from the Figure 92. This dialog displays when you click Add or Edit from the Rules tab or from the Custom AP Rules tab. raft ExtremeWireless V10.41.06 User Guide 302 Conguring Roles ftFigure 92: Filter Rule Denition Dialog Table 51: Filter Rule Denition Dialog - Fields and Buttons FField/Button Description Classication Direction Select Layers 2-4 to display conguration options for the data link, routing, and transport layers. Select Layer 7 to congure options related to the application layer. For more information, see Layer 7 conguration. ExtremeWireless V10.41.06 User Guide 303 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic owing from the station to the network. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only D Classication - Layer 2, 3, 4 Select a matching Ethertype lter for the selected policy rule. In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic owing from the network to the station. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic rules may be impacted by the selection

(mode) for Egree Filtering. For more information, see Conguring Egress Filtering Mode on page 410. Note: You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . raft IP - select to map the rule to the associated Topology IP address. Subnet - select to map the rule to the associated Topology Select one of the following:

User Dened, then type the destination IP address and mask. Use From the Port drop-down list, select one of the following:

User Dened, then type the port number. Use this option to explicitly specify the port number. A specic port type. The appropriate port number or numbers are added to the Port text eld. Select Any MAC or User Dened and provide the Mac Address. this option to explicitly dene the IP/subnet aspect of the rule. Select a Priority from the drop-down list. segment denition (IP address/mask). In Filter Out Filter Ethertype Mac Address Priority IP/subnet Port Protocol ToS/DSCP Select In the Protocol drop-down list, click the applicable protocol. The default is N/A. Select the ToS/DSCP value to match, if any, to dene the Layer 3, 4 ToS/DSCP bits. Enter a hexadecimal value in the 0x (DSCP:) eld. Click the Select button to open the ToS/DSCP Conguration dialog. For more information, see Priority and ToS/DSCP Marking on page 491. ExtremeWireless V10.41.06 User Guide 304 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description This is a mask for the ToS/DSCP eld match. The mask allows the match to be based on specic bits in the ToS/DSCP match value. Enter a hexadecimal value. Mask Application Application D Access Control Action Select from one of the following pre-dened IDs to support L5+

ltering:

None Link Local Multicast Name Resolution Query Link Local Multicast Name Resolution Response Simple Service Discovery Protocol Query Simple Service Discovery Protocol Unsolicited Announcement mDNS-SD Query mDNS-SD Response using a role that does not specify a topology. HTTP Redirect - Indicates redirect action. Select from one of the following:

None - No role dened. Allow - Packets contained to role's default action's VLAN topology. Deny - Any packet not matching a rule in the policy is dropped. Containment VLAN - A topology to use when a VNS is created raft Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. Note: Access control option Contain to VLAN and "Redirect" are not supported for L7 rules. For more information about Rule-based Redirection, see Rule-Based Redirection on page 289. Select an existing class of service from the drop-down list. For information about how to congure a Class of Service, go to Conguring Roles on page 284. Class of Service ExtremeWireless V10.41.06 User Guide 305 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Traffic Mirror When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis.You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/MirrorN Conguration. Valid values for Filter Rule and Role are:

None - No traffic mirroring Enable - Traffic mirroring enabled. Traffic is copied if the lter rule matches or the role is applied. Prohibited - Traffic mirroring is prohibited for this role. Traffic is not copied when the lter rule matches or the role is applied. Cancel Related Links D OK L7 Conguration on page 307 Rule-Based Redirection on page 289 Conguring Policy Rules on page 298 Conguring a Captive Portal on an AP on page 222 Click Cancel to discard your changes. Click to add the rule to the lter group. The information is displayed in the role rule table. raft The Deep Packet Inspection (DPI) engine runs independently on the controller and on selected AP models (AP38xx and AP39xx). The DPI engine that is used depends on the underlying topology of the role. The controller DPI handles traffic for centralized topologies (Bridged@Controller and Routed) for traffic in both directions. The AP's DPI handles distributed topologies (Bridged@AP). Enabling App Visibility in the WLAN causes end-user traffic of the particular WLAN to be sent to and processed by the respective DPI engine. For DPI and L7 lters to work, each instance of the DPI engine running on the AP or on the controller must inspect traffic that is moving in both directions of the connection. DPI L7 Conguration Restrictions The mixed topologies (B@AP & tunneled in same role) are not supported, and are disabled in the user interface, when L7 application rules are dened in a role. As a result, the Contain to VLAN Action option is unavailable for conguration of an L7 Application Rule. For more information, see Conguration Rules with L7 Filters on page 307. Related Links Conguration Rules with L7 Filters on page 307 L7 Conguration on page 307 ExtremeWireless V10.41.06 User Guide 306 Conguring Roles Conguration Rules with L7 Filters The controller imposes the following L7 lter conguration rules:

Rule #1 If L7 lter rules are congured, AP lter and custom AP lter in Roles is disabled and the corresponding check box options are hidden. This allows the Conguration Manager to congure the system for upstream ltering at the controller, if possible, with no mixed B@AC and B@AP conguration within a role - enforced by Rule

# 3. Rule # 2 Access control options Contain to VLAN and "Redirect" are not supported for L7 rules. L7 Conguration For DPI to identify a ow, TCP packets (three-way handshake exchanges and initial payload packets) must be allowed to pass through the system. If after the traffic ow is classied and the system diverts the rest of the traffic ow to a different VLAN (and most likely to a different server), then the new server treats the packets as stray traffic. This is because the new server did not exchange a three-way handshake with the client for the connection. D If CM detects mixed B@AC and B@AP rules in the same role, and the role has L7 lter rules, then the conguration is rejected. Rule # 4 For L2/L3/L4 rule conguration, if COS is congured, the GUI prompts users to set AP lter. But, if L7 rules are present, then the GUI will always disable the AP lter option. (See Rule # 1.) Rule # 3 Conguration Manager (CM) checks overall conguration as conguration is entered. raft Use this dialog to congure lters that allow or deny specic applications or application groups from running on the network, and specify class of service and traffic mirroring. Dene Layer 7 lter rules. This dialog displays when you select L7 on the FFilter Rule Denition dialog. ExtremeWireless V10.41.06 User Guide 307 Conguring Roles Figure 93: L7 Properties - Filter Rule Denition Dialog Table 52: Filter Rule Denition Dialog - Fields and Buttons FField/Button Description raft Select Layer 7 to congure options related to the application layer. For more information about layers 2-4, see Understanding the Filter Rule Denition Dialog on page 302. Select which IPv4 addresses in the IP header to match for traffic owing from the station to the network. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only Classication Direction In Filter ExtremeWireless V10.41.06 User Guide 308 Conguring Roles Table 52: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Out Filter Application Select which IPv4 addresses in the IP header to match for traffic owing from the network to the station. Options include:

Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic rules may be impacted by the selection

(mode) for Egree Filtering. For more information, see Conguring Egress Filtering Mode on page 410. Application Search D Group Type the application to search for. The Group and Name elds are automatically populated when you select an application from the Search eld. Name Custom Web Applications Action Names of applications that are a member of the specied group. You can include custom applications in the Filter Rule Denition dialog. For more information. see Including Custom Apps on page 313. Internet applications are organized in groups based on the type or purpose of the application. Once you select an Application Group, the Name drop-down is populated with application names that are part of the specied group. See Application Groups on page 311. raft Note: A role can be congured with application visibility rules and rules referencing IPv6 classiers, but the application visibility rules are ignored for http[s] ows over IPv6. They will continue to apply to ows over IPv4. ExtremeWireless V10.41.06 User Guide 309 Conguring Roles Table 52: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Access Control Select from one of the following:

None - No role dened. No change - Default setting. Allow - Packets contained to role's default action's VLAN/topology. Deny - Any packet not matching a rule in the policy is dropped. Containment VLAN - A topology to use when a VNS is created using a role that does not specify a topology. Note: Do not specify a VLAN with a Routed topology if the IPv6 classier is used. IPv6 classiers are not supported on a Routed topology. HTTP Redirect - Indicates redirect action. D For more information about Rule-based Redirection, see Rule-Based Redirection on page 289. Select an existing class of service from the drop-down list. For information about how to congure a Class of Service, go to Conguring Roles on page 284. Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. raft Select from one of the following:

None - No rule dened Enable - Default setting Prohibited - Traffic Mirroring prohibited for this Filter Rule. Click to add the rule to the lter group. The information is displayed in the role rule table. Click Cancel to discard your changes. Class of Service Traffic Mirror OK Cancel Related Links DPI L7 Conguration Restrictions on page 306 Conguration Rules with L7 Filters on page 307 Application Groups on page 311 Allowing for Restricted Sets of Applications and Resources on page 311 Host Name DNS Support on page 312 Including Custom Apps on page 313 ExtremeWireless V10.41.06 User Guide 310 Application Groups Conguring Roles Advertising Business Applications Certicate Validation Cloud Computing Cloud Storage Corporate Website Databases E-commerce Education Finance Games Health Care Location Services Mail News and Information Peer to Peer Protocols Real Time and Cloud Communications Restricted Content Search Engines Social Networking Software Updates Sports Storage Streaming Travel VPN and Security Web Applications Web Collaboration Web Content Services Web File Sharing All D raft EExtremeWireless Special Purpose Groups Unknown Apps Wild Card Allowing for Restricted Sets of Applications and Resources With the use of two new groups: the Unknown Apps group and the Wild Card group, you can congure policy lters that improve application control. Dened signature rules allow ne-tuning of how to handle traffic for specic applications or traffic categories. The Unknown Apps group allows you to take action on applications that the Deep Packet Inspection

(DPI) sensor does not recognize. When the DPI sensor fails to classify a ow, the ow is automatically ExtremeWireless V10.41.06 User Guide 311 Conguring Roles considered unknown and it is classied as part of the Unknown Apps group. You can assign standard actions (allow, deny, rate limit, etc) to ows belonging to the Unknown Apps group. The Wild Card group makes it simple to allow access to restricted sets of applications and resources. When conguring lters for restrictive sets:

1 Congure the Allowed application lters rst. 2 Congure a Deny lter specifying the Group = Wild Card and Name = All. 3 Congure a Deny lter specifying Group = Unknown Apps and Name = All. Host Name DNS Support When redirecting to an external captive portal (ECP), you can permit end users to log in with their credentials from a third-party site. ExtremeWireless builds a dynamic list of server addresses for sites by monitoring the DNS replies between DNS servers and the mobile user. D DNS Resolution on page 312 Conguring a Host Name Rule on page 312 RRelated Links Congure an Allow lter rule that applies to all learned server addresses for a specic site. The controller and AP handle DNS resolution (mapping of the host name to an IP address) at runtime for third-party login support. DNS resolution is handled by the AP for B@AP topologies and handled by the controller for B@AC and Routed topologies. First, congure a host name pattern in the Custom Application dialog as part of the Layer 7 lter conguration. The ExtremeWireless data plane inspects DNS replies for host name patterns that match the user-congured patterns. When a match is found, the host name IP pair is stored in the database. The data plane only considers the user-congured patterns when inspecting the DNS reply. raft For example, the pattern facebook.com matches any string that ends with facebook.com. Valid matches include any.facebook.com and 1.any.2.facboook.com. Patterns that do not match include: facebook.org.com. A single host name supports multiple IP addresses. The data plane reserves space for up to 128 IP addresses per host name. DNS Resolution Conguring a Host Name Rule DNS-based rules are dened as custom L7 signatures. ExtremeWireless matches the dened pattern to the corresponding IP address. Take the following steps to congure a rule that allows mobile clients to authenticate using credentials from a specic host. 1 Go to VNS > Roles > Policy Rules and click Add. 2 Create a new lter denition. For more information, see Understanding the Filter Rule Denition Dialog on page 302. 3 On the FFilter Rule Denition dialog, select the L7 radio button. 4 Select the link Custom Web Applications. ExtremeWireless V10.41.06 User Guide 312 Conguring Roles 5 Click the plus button and congure the parameters on the CCustom Web Application dialog. Specify Type = Host name. The Host Name type differentiates the denition from other extended signatures. Figure 94: Host Name Rule Conguration D Custom Apps List Use the custom web application denition editor to dene the characteristics of traffic ngerprints used for Deep Packet Inspection and Layer 7 policy enforcement. To add or remove custom Apps from the Filter Rule Denition dialog:

Select Custom Web Applications. 1 2 To add an App, click the plus sign. See Including Custom Apps on page 313. 3 To remove an App, select the App and click the minus sign. 4 Click OK. raft Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 Including Custom Apps on page 313 To add custom apps to the LL7 Filter Rule Denition dialog:

From the FFilter Rule Denition dialog, select L7. 1 2 Click Custom Web Application. Including Custom Apps ExtremeWireless V10.41.06 User Guide 313 Conguring Roles 3 Click the plus sign and enter the following:

Group. Internet applications are organized in groups based on the type or purpose of the application. Once you select an Application Group, the Application Name drop-down is populated with application names that are part of the specied group. The group names are pre-dened standard Extreme Application Analytics signature groups. The group names are case-sensitive. Type. Type of authentication. Valid values are:

Signature. Standard IP address sent in Signature. Layer 3 host name. Authentication based on User Dened IP/subnet parameter in Layer 3 conguration. You can dene up to 64 host name patterns per controller or site. The Matching Pattern is the URL pattern that is associated with the application (case-sensitive, up to 64 characters). D Figure 95: Adding Custom Web Applications raft ExtremeWireless V10.41.06 User Guide 3314 Conguring Roles 4 Click OK. The CCustom Web Application list displays. D Figure 96: Custom Web Applications List raft ExtremeWireless V10.41.06 User Guide 315 Conguring Roles 5 Select the check box and click OK to add the custom app to the Name drop-down eld on the LL7 Conguration dialog. ft Figure 97: L7 Conguration: Custom Apps with hostname rule Related Links Application Groups on page 311 Host Name DNS Support on page 312 Partially Specied Policy A partially specied policy is one that has No change selected for lters, default topology, or default qos. When two policies are applied to a station and one of them is partially specied, the No change settings are overwritten by the settings of the other policy. When a station successfully authenticates ExtremeWireless V10.41.06 User Guide 316 Conguring Roles and is assigned a partially specied policy, the No change elements of the policy are replaced with the corresponding elements of the WLAN Services default authenticated policy. Consider the following example. Suppose a VNS is dened that uses policy P1 for its default non-

authenticated policy and policy P2 for its default authenticated policy. Policy P1 assigns the station to topology T1 and policy P2 assigns the station to topology T2. Suppose there is a policy P3, which has

"No change" set for its topology. A client on the VNS will be assigned to P1 with topology T1 when he rst associates to the VNS. Now suppose the station is assigned P3 by the RADIUS server when the station authenticates. Even though the station is on T1 and P3 has no change set for the topology, the station will be assigned to T2. When the client is authenticated, internally on the controller, the client is rst assigned to P2 then P3 is applied. A similar scenario exists when the hybrid mode policy feature is set to use tunnel-private-group-id to assign both policy and topology but for some reason the VLAN-id-to-Policy mapping table does not contain a mapping for the returned tunnel private group id. In this case a station that successfully authenticates would be assigned the lters and default QoS of the WLAN Services default authenticated policy and the topology with the VLANID contained in the Tunnel-Private-Group-ID of the ACCESS-ACCEPT response. D If this is not the desired behavior, then consider the following:

Avoid using partially specied policies. When the controller is congured to map the VLAN ID in the Tunnel-Private-Group-ID response to a policy using the mapping table, ensure that there is a policy mapping for each VLAN ID that can be returned to the controller by the RADIUS server. raft ExtremeWireless V10.41.06 User Guide 317 7 Conguring WLAN Services WWLAN Services Overview Third-party AP WLAN Service Type Conguring a Basic WLAN Service Conguring Privacy Conguring Accounting and Authentication Conguring QoS Modes Conguring Hotspots WLAN Services Overview D can be part of this WLAN Service. This type of service may be used as a Bridged @ Controller, Bridged @ AP, or Routed VNS. This type of service provides access for mobile stations. Therefore, roles can be assigned to this type of WLAN service to create a VNS. A WLAN (Wireless Local Area Network) Service represents all the RF, authentication and QoS attributes of a wireless access service. The WLAN Service can be one of the following types:

Standard A conventional service. Only APs running Extreme Networks ExtremeWireless software Third Party AP A wireless service offered by third party APs. This type of service provides access for mobile stations. Therefore, roles can be assigned to this type of WLAN service to create a VNS. Dynamic Mesh and WDS (Static Mesh) A group of APs organized into a hierarchy for the purposes of providing a Wireless Distribution Service. This type of service is in essence a wireless trunking service rather than a service that provides access for stations. As such, this service cannot have roles attached to it. raft Remote A service that resides on the edge (foreign) controller. Pairing a remote service with a remoteable service on the designated home controller allows you to provision centralized WLAN Services in the mobility domain. This is known as centralized mobility. The remote service should have the same SSID name and privacy as the home remoteable service. Any WLAN Service/VNS can be a remoteable service, though deployment preference is given to tunneled topologies (Bridged@Controller and Routed). To reduce the amount of information distributed across the mobility domain, you will explicitly select which WLAN Services are available from one controller to any other controller in the mobility domain. The WLAN Service remoteable property is synchronized with the availability peer, making the WLAN service published by both the home and foreign controllers. The following types of authentication are supported for remote WLAN services:

None Guest Portal Internal/External Captive Portal ExtremeWireless V10.41.06 User Guide 318 Conguring WLAN Services Guest Splash AAA/802.1x Third-party AP WLAN Service Type For more information, see Working with Third-party APs on page 561. A third-party AP WLAN Service allows for the specication of a segregated subnet by which non-

Extreme Networks ExtremeWireless APs are used to provide RF services to users while still utilizing the controller for user authentication and user role enforcement. Note Third-party AP devices are not fully integrated with the system and therefore must be managed individually to provide the correct user access characteristics. D The denition of third-party AP identication parameters allows the system to be able to differentiate the third-party AP device (and corresponding traffic) from user devices on that segment. Devices identied as third-party APs are considered pre-authenticated, and are not required to complete the corresponding authentication verication stages dened for users in that segment (typically Captive Portal enforcement). In addition, third-party APs have a specic set of lters (third-party) applied to them by default, which allows the administrator to provide different traffic access restrictions to the third-party AP devices for the users that use those resources. The third-party lters could be used to allow access to third-party APs management operations (for example, HTTP, SNMP (Simple Network Management Protocol)). raft To congure a WLAN service:

Conguring a Basic WLAN Service ExtremeWireless V10.41.06 User Guide 319 Conguring WLAN Services 1 Go to VNS > WLAN Services. Figure 98: Conguring a WLAN Service raft ExtremeWireless V10.41.06 User Guide 3320 Conguring WLAN Services 2 Click New to create a new service. Figure 99: New WLAN Service raft a Enter a name for the WLAN service. b Select the service type. c Change the SSID (optional). d Enable Hotspot functionality (optional). For more information, see Conguring Hotspots on page Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable Synchronize. By default the WLAN Service is enabled. Clear this check box to disable the WLAN Service. e The default status of the WLAN service is Synchronized and Enabled. 376. f Click Save. ExtremeWireless V10.41.06 User Guide 3321 Conguring WLAN Services 3 For information about elds and buttons on this page, see Table 53. D Figure 100: WLAN Service Conguration Table 53: WLAN Services Conguration Page FField/Button Description raft Select the type of service to apply to this WLAN service. Options include:

Standard WDS Mesh Third Party AP Remote If you selected Remote as the Service Type, select the Privacy type. If you set Service Type as either Standard or Remote, select Synchronize, in the Status area, if desired. Enabling this feature allows availability pairs to be synchronized automatically Enter a name for this WLAN service The software automatically populates this eld with the WLAN service name that you supply. Optionally, you can change this. If you are creating a remote WLAN service, select the SSID of the remoteable service that this remote service will be paired with. Core Name Service Type SSID ExtremeWireless V10.41.06 User Guide 322 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description Default Topology From the drop-down list, select a precongured topology, topology group, or click New Topology to create a new one. Refer to Conguring a Basic Data Port Topology on page 266 for information about how to create a new topology. A WLAN service uses the topology of the role assigned to the VNS, if such a topology is dened. If the role doesn't dene a topology, you can assign an existing topology as the default topology to the WLAN service. If you choose not to assign a default topology to the WLAN service, the WLAN service will use the topology of the global default policy (by default, Bridged at AP Untagged). Default CoS (Class of Service) D Note: You cannot assign a default topology to a WDS, 3rd party, or remote WLAN service. Note: You cannot assign a default CoS to a WDS, 3rd party, or remote WLAN service. From the drop-down list, select a precongured CoS or click New CoS to create a new one. Refer to Conguring Classes of Service on page 487 for information on how to create a new CoS. A WLAN service uses the CoS of the role assigned to the VNS, if such a CoS is dened. If the role doesn't dene a CoS, you can assign an existing CoS as the default CoS to the WLAN service. If you choose not to assign a default CoS to the WLAN service, the WLAN service will use the CoS of the global default policy (by default, Bridged at AP Untagged). raft When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis. You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/MirrorN Conguration. Valid values for the WLAN Service are:

Prohibited - Traffic is not copied for this WLAN Service. Enable in both directions Traffic coming from wireless clients and Enable in direction only Traffic generated by wireless clients only is traffic targeted at specic clients is copied. copied. Default Traffic Mirror App Visibility Status Note: Traffic Mirror congured in WLAN service applies to TCP/UDP only. Check this option to enable Application Visibility and Application Enforcement on the specic WLAN. Application Visibility allows the controller to capture throughput and byte statistics for 31 pre-selected application groups per client. The data is refreshed every 2 minutes. Enabling this option increases CPU load. Clear this option when Application Visibility and Application Enforcement is not required. ExtremeWireless V10.41.06 User Guide 323 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description D Synchronize Enable Wireless APs Select APs Radio 1 Radio 2 Ports CAM IoT Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. The WLAN service is enabled by default, unless the number of supported enabled WLAN services has been reached. To disable the WLAN service, clear the check box. Select APs and their radios by grouping. Options include:

all radios Click to assign all of the APs radios. all ports Click to assign all of the AP ports for an AP3912. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. clear all ports Click to clear all of the AP port assignments. clear all selections Click to clear all of the AP radio assignments. original selections Click to return to the AP radio selections prior to raft Supported on the AP3912 and AP3917. Select one or more client ports for each WLAN Service. One WLAN can be assigned per port. The assignment enables the Note: If two controllers have been paired for availability (for more information, see Availability on page 537), each controller's registered APs are displayed as foreign in the list of available APs on the other controller Assign the APs Radios to the service by selecting the individual radios check boxes. Alternatively, you can use the Select APs list. Assign the APs Radios to the service by selecting the individual radios check boxes. Alternatively, you can use the Select APs list. the most recent save. port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. Alternatively, you can use the Select APs list. Camera port for the AP3916ic. For more information, see Assigning WLAN Services to Client Ports on page 170. Client port for the IoT Network Thread, supported on all AP391x models. For more information, see IoT Thread Gateway on page 196. ExtremeWireless V10.41.06 User Guide 324 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description Airtime %

AP Name Advanced New Percentage of airtime. Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. For more information, see Conguring Airtime Fairness:

Reservation Mode on page 406. Displays the AP name that you assigned on the AAP Properties screen. Click to access the WLAN service advanced conguration options. The Advanced conguration page options are described in Advanced WLAN Service Conguration on page 326. Click to create a new WLAN service. Click to save the changes to this WLAN service. If you are creating a new service, the WWLAN Services conguration window is displayed, allowing you to assign APs to the service. Delete Click to delete this WLAN service. Save D After you have assigned an AP Radio to eight WLAN Services, it will not appear in the list for another WLAN Service setup. Each Radio can support up to eight SSIDs (16 per AP). Each AP can be assigned to any of the VNSs dened within the system. Note If two controllers have been paired for availability each controller's registered wireless APs are displayed as foreign in the list of available APs on the other controller. For more information, see Availability on page 537. raft The controller can support the following active VNSs:

C5110 Up to 128 VNSs C5210 Up to 128 VNSs C5215 Up to 128 VNSs C4110 Up to 64 VNSs C25 Up to 16 VNs C35 Up to 16 VNs V2110 Up to 128 VNSs Note You can assign the Radios of all three AP variants ExtremeWireless Appliance, Outdoor AP, and Wireless 802.11n AP to any VNS. ExtremeWireless V10.41.06 User Guide 325 Conguring WLAN Services Advanced WLAN Service Conguration Table 54: Advanced WLAN Service Conguration Page FField/Button Description Timeout Idle (pre) Idle (post) Specify the amount of time in minutes that a Mobile user can have a session on the controller in pre-authenticated state during which no active traffic is passed. The session will be terminated if no active traffic is passed within this time. The default value is 5 minutes. Specify the amount of time in minutes that a Mobile user can have a session on the controller in authenticated state during which no active traffic is passed. The session will be terminated if no active traffic is passed within this time. The default value is 30 minutes. Specify the maximum number of minutes of service to be provided to the user before the termination of the session. Session D RF - select one or more of the following options:

Suppress SSID Enable 11h support Apply power reduction to 11h clients Process client IE requests Energy Save Mode Select to enable 11h support. By default this option is disabled. It is recommended that you enable this option. Select to prevent this SSID from appearing in the beacon message sent by the AP. The wireless device user seeking network access will not see this SSID as an available choice, and will need to specify it. Select to enable the AP to use reduced power (as does the 11h client). By default this option is disabled. It is recommended that you enable this option. This option is available only if you enable 11h support. raft Select to enable the AP to accept IE requests sent by clients via Probe Request frames and responds by including the requested IEs in the corresponding Probe Response frames. By default this option is disabled. It is recommended that you enable this option. Select to reduce the number of beacons the AP transmits on a BSSID when no client is associated with the BSSID. This reduces both the power consumption of the AP and the interference created by the AP when no client is associated. Select to enable background scan. Optionally, enable Beacon Report and/or Quiet IE. Traffic is ltered as congured. For more information, see Conguring Egress Filtering Mode on page 410. Radio Management (11k) support Egress Filtering Mode Enforce explicitly dened Out rules Apply In rules to out direction traffic The role of the source and destination addresses are reversed. For more information, see Conguring Egress Filtering Mode on page 410. Client Behavior Block MU to MU traffic 802.1D Select the Block Mu to MU traffic check box if you want to prevent two devices associated with this SSID and registered as users of the controller, to be able to talk to each other. The blocking is enforced at the L2 (device) classication level. ExtremeWireless V10.41.06 User Guide 326 Conguring WLAN Services Table 54: Advanced WLAN Service Conguration Page (continued) FField/Button Description 8021D Base Port: xxx Remote Service Remoteable Inter-WLAN Service Roaming Permit Inter-WLAN Service Roaming The 802.1D Base Port number in the 802.1D area is the port number by which Extreme Management Center recognizes the SSID. It is read-

only. Select the check box if you want to pair this service with a remote service. Netow Apply Cancel Conguring Privacy D Unauthenticated Behavior Discard Unauthenticated Traffic Default Non-Authenticated Policy Select to enable a client on a controller to maintain the session, including the IP address and role assignment, while roaming between VNSs having the same SSID and privacy settings. If not selected, when the client roams among VNSs, the existing session terminates and a new session starts with the client having to associated and authenticate again. The list of VNSs that share the same SSID and privacy settings displays below. Select the check box to drop all traffic owing to and from an unauthenticated station. Click to Enable/Disable Netow ag. For more information, see Using Netow/MirrorN on page 419. Select the check box to apply the default non-authenticated policy to all traffic owing to and from an unauthenticated station. raft Click to close the AAdvanced dialog without saving changes. Click to apply changes. Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. The controller provides several privacy mechanism to protect data over the WLAN. The following are privacy options:

None Static Wired Equivalent Privacy (WEP) Keys for a selected VNS, so that it matches the WEP mechanism used on the rest of the network. Each AP can participate in up to 50 VNSs. For each VNS, only one WEP key can be specied. It is treated as the rst key in a list of WEP keys. Dynamic Keys The dynamic key WEP mechanism changes the key for each user and each session. Wi-Fi Protected Access (WPA) version 1 with encryption by temporal key integrity protocol (TKIP) version 2 with encryption by advanced encryption standard with counter-mode/CBC-MAC protocol (AES-CCMP) Wi-Fi Protected Access (WPA) Pre-Shared key (PSK) Privacy in PSK mode, using a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK is a security solution that adds ExtremeWireless V10.41.06 User Guide 327 Conguring WLAN Services authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. NNote Regardless of the AP model or WLAN Service type, a maximum of 112 simultaneous clients, per radio, are supported by all of the data protection encryption techniques. About Wi-Fi Protected Access (WPA V1 and WPA V2) Note To achieve the strongest encryption protection for your VNS, it is recommended that you use WPA v.1 or WPA v.2. encryption key for every packet (unicast key) or after the specied re-key time interval (broadcast key) expires The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes:

A per-packet key mixing function that shares a starting key between devices, and then changes their D WPA v1 and WPA v2 add authentication to WEP encryption and key management. Key features of WPA privacy include:

Species 802.1x with Extensible Authentication Protocol (EAP) Requires a RADIUS or other authentication server Uses RADIUS protocols for authentication and key distribution Centralizes management of user credentials raft The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES includes:

A 128-bit key length, for the WPA2/802.11i implementation of AES Four stages that make up one round. Each round is iterated 10 times. A per-packet key mixing function that shares a starting key between devices, and then changes their standard WEP 4-byte Integrity Check Value (ICV). These integrity codes are used to calculate and compare, between sender and receiver, the value of all bits in a message, which ensures that the message has not been tampered with. A Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before the An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to encryption key for every packet or after the specied re-key time interval expires. compromise The Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include:

Counter mode (CTR) that achieves data encryption Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrity The following is an overview of the WPA authentication and encryption process:

The wireless device client associates with Wireless APs. 1 2 Wireless AP blocks the client's network access while the authentication process is carried out (the controller sends the authentication request to the RADIUS authentication server). ExtremeWireless V10.41.06 User Guide 328 Conguring WLAN Services 3 The wireless client provides credentials that are forwarded by the controller to the authentication server. 4 If the wireless device client is not authenticated, the wireless client stays blocked from network access. 5 If the wireless device client is authenticated, the controller distributes encryption keys to the AP and the wireless client. 6 The wireless device client gains network access via the AP, sending and receiving encrypted data. The traffic is controlled with permissions and role applied by the controller. Wireless 802.11n APs and WPA Authentication protocol. If WPA v.1 is enabled, the wireless AP will advertise TKIP as an available encryption protocol. WPA v.2 If WPA v.2 is enabled, the wireless AP will do the following:

NNote If you congure a WLAN Service to use either WEP or TKIP authentication, any wireless 802.11n AP associated to a VNS using that service will be limited to legacy AP performance rates. D If a VNS is congured to use WPA authentication, any wireless 802.11n AP within that VNS will do the following:

WPA v.1 If WPA v.1 is enabled, the wireless AP will advertise only TKIP as an available encryption Note If WPA v.2 is enabled, the wireless AP does not support the Auto option. raft Note The security encryption for some network cards must not to be set to WEP or TKIP to achieve a data rate beyond 54 Mbps. If WPA v.1 is disabled, the wireless AP will advertise the encryption cipher AES (Advanced Encryption Standard). Wi-Fi Protected Access (WPA v1 and WPA v2) privacy offers you the following key management options:

None The wireless client device performs a complete 802.1x authentication each time it associates or tries to connect to an AP. WPA Key Management Options Opportunistic Keying Opportunistic Keying or opportunistic key caching (OKC) enables the client devices to roam fast and securely from one wireless AP to another in 802.1x authentication setup. ExtremeWireless V10.41.06 User Guide 329 Conguring WLAN Services The client devices that run applications such as video streaming and VoIP require rapid reassociation during roaming. OKC helps such client devices by enabling them to rapidly reassociate with the APs. This avoids delays and gaps in transmission and thus helps in secure fast roaming (SFR). NNote The client devices should support OKC to use the OKC feature in the WLAN. Pre-authentication Pre-authentication enables a client device to authenticate simultaneously with multiple APs in 802.1x authentication setup. When the client device roams from one AP to another, it does not have to perform the complete 802.1x authentication to reassociate with the new AP as it is already pre-authenticated with it. This reduces the reassociation time and thus helps in seamless roaming. Conguring WLAN Service Privacy To congure privacy:

Note The client devices should support pre-authentication to use the pre-authentication feature in the WLAN. D Opportunistic Keying & Pre-auth Opportunistic Keying and Pre-auth options is meant for environments where device clients supporting either authentication method (OKC or Pre-Auth) may be expected. The method that is used in each case is up to the individual client device. 1 From the top menu, click VNS. Then, in the left pane, select WLAN Services. The WWLAN Services window displays. 2 Select the desired service to edit from the left pane. The WWLAN Service conguration page is displayed. raft ExtremeWireless V10.41.06 User Guide 330 Conguring WLAN Services 3 Click the PPrivacy tab, then select the desired privacy method. The WLAN Services Privacy tab displays. Table 55 describes the WLAN services privacy tab elds and buttons. aft Select to congure a WLAN service with no privacy settings. Figure 101: Conguring WLAN Service Privacy Table 55: WLAN Services Privacy Tab - Fields and Buttons Field/Button Description None Static Keys (WEP) WEP Key Index WEP Key Length Select to congure static key (WEP) privacy settings. From the WEP Key Index drop-down list, select the WEP encryption key index. Options are 1 to 4. This eld is available only when conguring static keys. From the WEP Key Length drop-down list, click the WEP encryption key length. Options are: 64-bit, 128-

bit, and 152-bit. This eld is available only when conguring static keys. ExtremeWireless V10.41.06 User Guide 331 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description Input Method Select one of the following input methods:

Input Hex If you select Input Hex, type the WEP key input in the WEP Key box. The key is generated automatically, based on the input. Input String If you select Input String, type the secret WEP key string used for encrypting and decrypting in the Strings box. The WEP Key box is automatically lled by the corresponding Hex code. WEP Key D Dynamic Keys (WEP) WPA WPA - PSK WPA v.1 This eld is available only when conguring static keys. Type the WEP key using the input method chosen above. Select to congure dynamic keys (WEP) privacy settings. Select to congure WPA privacy settings. Select to congure dynamic keys (WEP) privacy settings. raft Select the check box to enable WPA v.1 encryption, and then select an encryption method:

Auto If you click Auto, the AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. TKIP only If you click TKIP, the AP advertises TKIP as an available encryption protocol. It will not advertise CCMP. This eld is available only when conguring WPA and WPA - PSK privacy settings. Note: TKIP is no longer a supported conguration. Instead you will be directed to congure WPA/WPA2 mixed mode security. ExtremeWireless V10.41.06 User Guide 332 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description WPA v.2 Select the check box to enable WPA v.2 encryption, and then select an encryption method:

Auto If you click Auto, the AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. AES only If you click AES, the AP advertises CCMP as an available encryption protocol. It will not advertise TKIP. This eld is available only when conguring WPA and WPA - PSK privacy settings. TKIP If you click AES, the wireless AP advertises CCMP as an available encryption protocol. D Key Management Options Opportunistic Keying Enables secure fast Pre-authentication Enables seamless roaming. For more information, see Conguring WLAN Service Privacy on page 330. roaming (SFR) of mobile units. For more information, see Conguring WLAN Service Privacy on page 330. Click one of the following key management options:

None The mobile units (client devices) perform a complete 802.1x authentication each time they associate or connect to an AP. raft To enable re-keying after a time interval, select the Broadcast re-key interval box, then type the time interval after which the broadcast encryption key is changed automatically. The default is 3600 seconds. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/

Multicast transmissions which will reduce the level of security for wireless communications. information, see Conguring WLAN Service Privacy on page 330. Opportunistic Keying & Pre-auth For more Select to enable or disable frame protection for WPA v.2 privacy. Broadcast re-key interval Management Frame Protection Fast Transition Input Method Click to Enable for 11r enabled APs. This feature only applies to 37xx and 38xx APs. Select one of the following input methods:

Input Hex If you select Input Hex, type the pre-

shared key as hex characters. Input String If you select Input String, type the pre-shared key as a string of characters. ExtremeWireless V10.41.06 User Guide 333 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description Pre-shared key String In the Pre-Shared Key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. To proofread your entry before saving the conguration, click Unmask to display the Pre-Shared Key. To mask the key, click Mask Save Click to save the conguration. Conguring Accounting and Authentication access.) D The next step in conguring a WLAN Service is to set up the authentication mechanism. There are various authentication modes available:

None Internal Captive Portal External Captive Portal GuestPortal GuestSplash Firewall-Friendly External Captive Portal 802.1x authentication (The wireless device user must be authenticated before gaining network Note You cannot congure accounting and authentication for a remote WLAN service. The authentication that you congure for the corresponding remoteable WLAN service applies to the remote WLAN service as well. raft The rst step for any type of authentication is to select RADIUS servers for the following:

Authentication Accounting MAC-based authentication The selected RADIUS servers are displayed in a tri-pane under RADIUS Servers. The RADIUS Server pane changes depending on the Authentication and Accounting methods you enable:

If the Authentication Mode is enabled, the AAuth pane displays. If MAC-based Authentication is enabled, a MMAC pane displays. If RADIUS Accounting is enabled an AAccounting pane displays. For more information, see Selecting RADIUS Servers on page 335. For more information about captive portal, see Conguring Basic Captive Portal Settings on page 349 Related Links Selecting RADIUS Servers on page 335 MAC-Based Authentication for a WLAN Service on page 338 ExtremeWireless V10.41.06 User Guide 334 Conguring WLAN Services Dening Accounting Methods for a WLAN Service on page 336 Selecting RADIUS Servers You have the option to specify up to three RADIUS servers for authentication and accounting. The rst server in the list is the rst active server for both Primary-Backup and Round-Robin. For Primary-

Backup, the rst server is also the primary server. In the event of the rst server fails, the next server in the list (backup server) becomes active. In the case of Round-Robin conguration, each server in the list is contacted in a round-robin fashion starting with the rst server. See Conguring Advanced RADIUS Servers Settings on page 397. To select RADIUS servers for authentication and accounting:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. D 3 Click the AAuth & Acct tab. 4 Select one or more servers. To select a server:

The RRADIUS Selection dialog displays. Click the + sign in the appropriate column heading to select a server for that specic function, or Click Select RADIUS to apply your selection to all three functions. Note Once selected, the server is no longer available in the RADIUS servers selection list. Maximum number of selected servers is three. raft ExtremeWireless V10.41.06 User Guide 335 Conguring WLAN Services 5 Once you have more than one server listed, select a server and click Move Up or Move Down to arrange the order. Dening Accounting Methods for a WLAN Service D 6 To save your changes, click Save. Accounting tracks the activity of wireless device users. There are two types of accounting available:

Controller accounting Enables the controller to generate Call Data Records (CDRs), containing usage information about each wireless session. CDR generation is enabled on a per VNS basis. For more information on CDRs, refer to section Call Detail Records (CDRs) on page 663. raft RADIUS accounting Enables the controller to generate an accounting request packet with an accounting start record after successful login by the wireless device user, and an accounting stop record based on session termination. The controller sends the accounting requests to a remote RADIUS server. Controller accounting creates Call Data Records (CDRs). If RADIUS accounting is enabled, a RADIUS accounting server needs to be specied. From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service you want to dene To dene accounting methods:

accounting methods for. The WWLAN Services conguration page is displayed. 3 Click the Auth & Acct tab. 4 Select an authentication method under Mode or click Enable MAC-based authentication. The Enable RADIUS Accounting check box displays. ExtremeWireless V10.41.06 User Guide 336 Conguring WLAN Services 5 In the Accounting column, select the RADIUS server. For more information, see Selecting RADIUS Servers on page 335. NNote The RADIUS servers are dened on the GGlobal Settings screen. For more information, see Dening RADIUS Servers and MAC Address Format on page 394. Note When multiple RADIUS servers are congured for a WLAN Service, Accounting packets are sent to the primary RADIUS server only. The secondary servers are used as fail over when necessary. When upgrading to v10.31.02, the previous behavior of sending Accounting packets to all servers is maintained. 6 One a server is selected, click Congure. 7 The RRADIUS Parameters dialog is displayed. D The congured values for the selected server are displayed in the table at the top. raft Figure 102: RADIUS Parameters dialog 8 For NAS IP Address, accept the default of Use VNS IP address or de-select the check box and type the IP address of a Network Access Server (NAS). 9 For NAS Identier, accept the default of Use VNS name or type the Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. 10 For Auth. type, select the Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, or 11 MS-CHAP2. In the Password box, type the password that will be passed to RADIUS for wireless MAC authentication. To proofread your shared secret key, click Unmask. The password is displayed. 12 Click OK. ExtremeWireless V10.41.06 User Guide 337 Conguring WLAN Services 13 To enable controller accounting, select Collect Accounting Information of Wireless Controller. 14 To save your changes, click Save. Conguring Authentication for a WLAN Service 802.1x Authentication If 802.1x authentication mode is congured, the wireless device must successfully complete the user authentication verication prior to being granted network access. This enforcement is performed by both the user's client and the AP. The wireless device's client utility must support 802.1x. The user's EAP packets request for network access along with login identication or a user prole is forwarded by the controller to a RADIUS server. External Captive Portal After an external server displays the Captive Portal Web page and Captive Portal Authentication For Captive Portal authentication, the wireless device connects to the network, but can only access the specic network destinations dened in the non-authenticated lter. For more information, see Policy Rules on page 288. One of these destinations should be a server, either internal or external, which presents a Web login page the Captive Portal. The wireless device user must input an ID and a password. This request for authentication is sent by the controller to a RADIUS server or other authentication server. Based on the permissions returned from the authentication server, the controller implements role and allows the appropriate network access. D External Captive Portal with internal authentication After an external server displays the Captive Portal Web page, the controller carries out the authentication and implements role. Captive Portal authentication relies on a RADIUS server on the enterprise network. There are three mechanisms by which Captive Portal authentication can be carried out:

Internal Captive Portal The controller displays the Captive Portal Web page, carries out the authentication, and implements role. raft Authentication RADIUS servers are congured to provide authentication. MAC authentication RADIUS servers are congured to provide MAC-based authentication. Accounting RADIUS servers are congured to provide accounting services. MAC-based authentication MAC-based authentication enables network access to be restricted to specic devices by MAC address. The controller queries a RADIUS server for a MAC address when a wireless client attempts to connect to the network. RADIUS servers RADIUS servers can perform the following for a WLAN Service:

carries out the authentication, the controller implements role. MAC-Based Authentication for a WLAN Service MAC-based authentication can be set up on any type of WLAN Service. To set up a RADIUS server for MAC-based authentication, you must set up a user account with UserID=MAC and Password=MAC (or a password dened by the administrator) for each user. Specifying a MAC address format and role depends on which RADIUS server is being used. If MAC-based authentication is to be used in conjunction with the 802.1x or Captive Portal authentication, an additional account with a real User ID and Password must also be set up on the RADIUS server. MAC-based authentication responses may indicate to the controller what VNS a user should be assigned to. Authentication (if enabled) can apply on every roam. ExtremeWireless V10.41.06 User Guide 3338 Conguring WLAN Services RRelated Links Conguring MAC-Based Authentication on page 339 Conguring MAC-Based Authentication This topic outlines the MAC-Based Authentication settings. Click the Congure button to open the MMAC-Based Authorization dialog. D Figure 103: MAC-Based Authorization Conguration Table 56: MAC-Based Authorization Conguration - Fields and Buttons Field/Button Description MAC-based authorization on roam raft Select method for MAC-based authorization:

Never: disables the feature On inter-AP roam: enables MAC-based authorization on roam. On inter-Area roam: enables MAC-based authorization sent to the RADIUS server on area roams. Note: Enable this option if you want your clients to be authorized every time they roam to another AP or area. If this option is not enabled, and MAC-based authentication is in use, the client is authenticated only at the start of a session. Select to automatically authenticate authorized users. When set, a station that passes MAC-based authentication is treated as fully authorized. For example, its authentication state is set to fully authenticated. This can trigger a change to the role applied to the station. If Captive Portal authentication is also congured on the WLAN Service, a station that passes MAC-based authentication will not have to pass Captive Portal authentication as well. Automatically Authenticate Authorized Users Allow Un-Authorized Users Select to allow un-authorized users which permits stations that do not pass MAC-based authentication to stay on the network in an un-

authorized state. The station can be conned to a Walled Garden by its assigned role. If Captive Portal authentication is also congured on the WLAN Service, a station that fails MAC-based authentication can still become authorized by passing Captive Portal authentication. ExtremeWireless V10.41.06 User Guide 339 Conguring WLAN Services Table 56: MAC-Based Authorization Conguration - Fields and Buttons (continued) FField/Button Description RADIUS accounting begins after MAC-

based authorization completes Select to delay RADIUS accounting until after MAC-based authorization is complete. RADIUS Server Timeout Role Select a Radius Server Timeout Role from the drop-down list. Assigning RADIUS Servers for Authentication To assign RADIUS servers for authentication:

From the top menu, click VNS. 1 2 In the left pane expand the WLAN Services pane, then click the WLAN Service. 3 Click the Auth & Acct tab. D Figure 104: Auth & Acct Tab ExtremeWireless V10.41.06 User Guide 340 Conguring WLAN Services Table 57: WLAN Services Auth & Acct Tab - Fields and Buttons FField/Button Description Authentication Mode Select an authentication mode from the drop-down list:

Disabled 802.1x Internal External Firewall Friendly External Guest Portal Guest Splash Collect Accounting Information of Wireless Controller Congure Enable MAC-based authentication D RADIUS Servers Click to congure the selected mode. For more information, see Conguring Accounting and Authentication on page 334. Select to enable the RADIUS server to perform MAC-based authentication for the VNS with Captive Portal. Select this check box to enable Controller accounting. To select a server, see Selecting RADIUS Servers on page 335. The RADIUS servers are dened on the GGlobal Settings screen. For more information, see Dening RADIUS Servers and MAC Address Format on page 394. Note Both MAC-based Authorization settings work together so that a station can be allowed onto a WLAN Service if it passes MAC-based authentication or Captive Portal authentication. Owners of known stations do not have to enter credentials and owners of unknown stations can get onto the network, if authorized, via Captive Portal. raft ExtremeWireless V10.41.06 User Guide 341 Conguring WLAN Services 4 Click the Radius TLVs button to open the RADIUS Access-Request Message Options dialog. Figure 105: RADIUS Access Request Message Options raft Select the appropriate check boxes to include the Vendor Specic Attributes (VSAs) in the message to the RADIUS server:

Ingress Rate Control Egress Rate Control Topology Name Role Name VNS Name AP Name SSID For more information, see Dening Common RADIUS Settings on page 344. Table 58: RADIUS TLVs Dialog - Fields and Buttons FField/Button Description VSAs Vendor-Specic-Attributes in RADIUS Requests Optional TLVs Chargeable-User-Identity Select to NOT return a Chargeable-User-Identity attribute for the RADIUS Server. ExtremeWireless V10.41.06 User Guide 342 Conguring WLAN Services Table 58: RADIUS TLVs Dialog - Fields and Buttons (continued) FField/Button Description Select to enable feature. Treat Access-Accept without Chargeable-User-Identity attribute as Access-Reject Zone Support RADIUS Request Call Station ID Options:

Replace BSSID with Zone name Selecting this check box to allows the RADIUS client to send the AP Zone name as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. Zone name is limited to 32 bytes. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. Dening the RADIUS Server Priority for RADIUS Redundancy Operator Name Replace BSSID with AP Ethernet MAC D Selecting this check box allows the RADIUS client to send the AP Ethernet MAC as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. The AP MAC address value is always the AP LAN1 MAC address. 5 To save your changes, click Save. Select the name of the user assigned to this RADIUS server from the drop-down list. Once a name is selected, a text box displays to allow text to be entered. raft You have the option to specify up to three RADIUS servers for authentication and accounting. The rst server in the list is the rst active server for both Primary-Backup and Round-Robin. For Primary-

Backup, the rst server is also the primary server. In the event of the rst server fails, the next server in the list (backup server) becomes active. In the case of Round-Robin conguration, each server in the list is contacted in a round-robin fashion starting with the rst server. See Conguring Advanced RADIUS Servers Settings on page 397. If more than one server has been dened for any type of authentication or accounting, you can dene the priority of the servers. If all dened RADIUS servers fail to respond, a critical message is generated in the logs. To dene the RADIUS server priority for RADIUS redundancy:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Servicesconguration page is displayed. 3 Click the Auth & Acct tab. 4 Select one or more servers. See Selecting RADIUS Servers on page 335. ExtremeWireless V10.41.06 User Guide 343 Conguring WLAN Services 5 Once you have more than one server listed, select a server and click Move Up or Move Down to arrange the order. Conguring Assigned RADIUS Servers D 6 To save your changes, click Save. Conguring assigned RADIUS servers for a VNS can include the following:

Dening Common RADIUS Settings on page 344 Dening RADIUS Settings for Individual RADIUS Servers on page 345 Testing RADIUS Server Connections on page 346 Viewing the RADIUS Server Conguration Summary on page 347 Removing an Assigned RADIUS Server from a WLAN Service on page 348 raft 1 2 In the left pane expand the WLAN Services pane, then click the WLAN Service. The WWLAN Services To Dene Common RADIUS Settings:

From the top menu, click VNS. conguration page is displayed. Dening Common RADIUS Settings 3 Click the Auth & Acct tab. 4 In the RADIUS Servers section, click the Radius TLVs button and select the appropriate check boxes to include the Vendor Specic Attributes in the message to the RADIUS server. For more information, see Vendor Specic Attributes on page 344. 5 To save your changes, click Save. Vendor Specic Attributes In addition to the standard RADIUS message, you can include Vendor Specic Attributes (VSAs). The ExtremeWireless authentication mechanism provides VSAs for RADIUS and other authentication mechanisms (see Table 59.) ExtremeWireless V10.41.06 User Guide 344 Table 59: Vendor Specic Attributes AAttribute Name Type ID Messages AP-Name AP-Serial AP Ethernet MAC AP Location 2 3 string string string string Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server Conguring WLAN Services Description The name of the AP the client is associating to. It can be used to assign role based on AP name or location. The AP serial number. It can be used instead of (or in addition to) the AP name. The MAC address of the AP used by the ECP to determine client location. The physical location of the AP. Provided by the network administrator. The name of the Virtual Network the client has been assigned to. It is used in assigning role and billing options, based on service selection. VNS-Name 4 string Sent to RADIUS server D Sent to RADIUS server string SSID 5 BSS-MAC Role-Name Topology-Name Ingress-RC-Name Egress-RC-Name 7 8 6 string string string Sent to RADIUS server Sent to RADIUS server The name of the role applied to the stations session. The name of the SSID the client is associating to. It is used in assigning role and billing options, based on service selection. The name of the BSS-ID the client is associating to. It is used in assigning role and billing options, based on service selection and location. raft The name of the topology applied to the stations session. The name of the rate limit applied to the stations sessions outbound traffic. The name of the rate limit applied to the stations sessions inbound traffic. Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server string string 10 9 Note Siemens-URL-Redirection is supported by MAC-based authentication. The RADIUS message also includes RADIUS attributes Called-Station-Id and Calling-Station-Id to include the MAC address of the wireless device. Dening RADIUS Settings for Individual RADIUS Servers To dene RADIUS settings for individual RADIUS servers:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. 3 Click the AAuth & Acct tab. ExtremeWireless V10.41.06 User Guide 345 Conguring WLAN Services 4 In the Server table, click the RADIUS server you want to dene, and then click Congure. The RADIUS Parameters dialog is displayed. D the IP address of a Network Access Server (NAS). MS-CHAP2. 8 In the Password box, type the password that will be used to validate the connection between the 5 For NAS IP Address, accept the default of Use VNS IP address or de-select the check box and type controller and the RADIUS server. To proofread your shared secret key, click Unmask. The password is displayed. 6 For NAS Identier, accept the default of Use VNS name or type the Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. 7 For Auth. type, select the Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, or raft From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services 9 Click OK. 10 To save your changes, click Save. conguration page is displayed. 3 Click the AAuth & Acct tab. Testing RADIUS Server Connections To test RADIUS server connections:

ExtremeWireless V10.41.06 User Guide 346 Conguring WLAN Services 4 In the Server table, click the RADIUS server whose connection you want to test, and then click Test. D The RADIUS test is a test of connectivity to the RADIUS server, not of full RADIUS functionality. The controllers RADIUS connectivity test initiates an access-request, to which the RADIUS server will respond. If a response is received (either access-reject or access-accept), then the test is deemed to have succeeded. If a response is not received, then the test is deemed to have failed. In either case, the test ends at this point. raft If the WLAN Service Authentication mode is Internal or External Captive Portal, or if MAC-Based Authorization is selected, then this test can also test a user account congured on the RADIUS server. In these cases, if proper credentials are lled in for User ID and Password, an access-accept could be returned. 5 In the User ID box, type the user ID that you know can be authenticated. 6 In the Password box, type the corresponding password. A password is not required for a AAA VNS. 7 Click Test. The TTest Result screen displays. 8 Click Close after reviewing the test results. 9 To save your changes, click Save. If the WLAN Service Authentication mode is 802.1x, however, an Access-Reject is expected if the RADIUS server is accessible, and the test is considered a success. Figure 106: Test RADIUS Server Viewing the RADIUS Server Conguration Summary To view the RADIUS server conguration summary:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. 3 Click the AAuth & Acct tab. ExtremeWireless V10.41.06 User Guide 347 Conguring WLAN Services 4 In the Server table, click a RADIUS server whose conguration summary you want to view, and then click Summary. The RRADIUS Summary screen displays. Figure 107: RADIUS Summary 5 Click Close. 6 To save your changes, click Save. D Removing an Assigned RADIUS Server from a WLAN Service To remove an assigned RADIUS Server from a WLAN Service:

then click Remove. The RADIUS server is removed from the VNS. From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane and click the WLAN Service you want to dene accounting methods for. 3 Click the AAuth & Acct tab. 4 In the Server table, click the assigned RADIUS server that you want to remove from the VNS, and raft A WLAN Service with no authentication can still control network access using policy rules. For more information on how to set up policy rules that allow access only to specied IP addresses and ports, see Policy Rules on page 288. You can set up a WLAN Service that will bypass all authentication mechanisms and run the ExtremeWireless Appliance with no authentication of a wireless device user. 5 Click Save. Dening a WLAN Service with No Authentication To dene a WLAN Service with No Authentication:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service you want to congure or click New. 3 Congure the service as described in WLAN Services Overview on page 318. 4 Click the AAuth & Acct tab. 5 From the Authentication Mode drop-down list, select Disabled. 6 Click Save. ExtremeWireless V10.41.06 User Guide 348 Conguring WLAN Services Conguring Captive Portal for Internal or External Authentication Captive Portal allows you to require network users to complete a dened process, such as logging in or accepting a network usage role, before accessing the Internet. The Captive Portal options are:

802.1x - Dene the parameters of the external Captive Portal page displayed by an external server. The authentication can be carried out by an external authentication server or by the controller request to a RADIUS server. Internal Captive Portal Dene the parameters of the internal Captive Portal page displayed by the controller, and the authentication request from the controller to the RADIUS server. External Captive Portal Dene the parameters of the external Captive Portal page displayed by an external server. The authentication can be carried out by an external authentication server or by the appliance request to a RADIUS server. wireless device users with temporary guest network services. Firewall Friendly External Dene the parameters of the Firewall Friendly Captive Portal page displayed by an external server. This parameter minimizes the need to open rewall ports and any device on the secure side is allowed to connect to the Internet on port 80, 443. D Guest Splash Dene the parameters of the Guest Splash page displayed by the controller. These GuestPortal Dene the parameters for a GuestPortal Captive Portal page. A GuestPortal provides parameters are similar to those for an internal Captive Portal page, except that the options to congure the labels for user id and password elds are not present since login information is not required when the user is re-directed to the authorization web page. This type of Captive Portal could be used where the user is expected to read and accept some terms and conditions before being granted network access. raft 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services When conguring captive portal, different settings become available depending on the captive portal option you choose. To congure the captive portal settings:

From the top menu, click VNS. conguration page is displayed. Conguring Basic Captive Portal Settings ExtremeWireless V10.41.06 User Guide 349 Conguring WLAN Services 3 Click the AAuth & Acct tab. Figure 108: Conguring Basic Captive Portal 4 In the Authentication Mode drop-down list, select a Captive Portal option. aft Disabled 802.1x Internal External Firewall Friendly External Guest Portal Note You must congure a Guest Portal before Guest Portal appears as a Captive Portal option. Only one WLAN Service can be congured for Guest Portal on a VNS. Guest Splash ExtremeWireless V10.41.06 User Guide 350 Conguring WLAN Services 5 Click Congure. The Captive Portal conguration page displays. The page display differs depending on the mode that you have selected:

Internal and Splash modes, see Conguring Internal Captive Portal and Guest Splash on page 359 External and 802.1x modes, see Conguring External and Mode 802.1 Captive Portal on page 351 Guest Portal mode, see Conguring Guest Portal on page 360 Firewall Friendly External Captive Portal mode, see Conguring Firewall Friendly External Captive Portal on page 353. CConguring External and Mode 802.1 Captive Portal D raft In the drop-down list, click the IP address of the external Web server. and then enter the port of the controller. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Figure 109: Captive Portal Page for External and 802.1x Modes Table 60: External Captive Portal Page - Fields and Buttons Field/Button Description Session Control Interface EWC Connection Enable HTTPS support Select Enable https support if you want to enable HTTPS support

(TLS/SSL) for this external captive portal. This has no impact on the traffic exchanged between users browsers and the External Captive Portal. When enabled, this option protects the session control traffic between the external captive portal and the controller from being read by a third party. This is particularly useful when a dedicated network management VLAN (Virtual LAN) is unavailable to carry the session control traffic. For more information, see the Integration Guide. ExtremeWireless V10.41.06 User Guide 351 Conguring WLAN Services Table 60: External Captive Portal Page - Fields and Buttons (continued) FField/Button Description Encryption D Select the data encryption to use. Options are:

Noneno encryption is performed. If the HTTPS option is not enabled, session control messages are sent in plain text over the network. Legacyboth the ECP and the controller are expected to use simple message encryption based on MD5 (Message-Digest algorithm 5). Frames are encrypted by Xoring session control message payload with a keystream generated from an MD5 hash of a shared key. This is a weak encryption algorithm and is only supported for backward compatibility. If encryption is needed, consider using the option below. AESsession control messages sent by the controller and ECP are encrypted with the Advanced Encryption Standard based on the Rijndael cipher. AES encryption is considerably more secure than legacy encryption. If encryption is enabled then a shared key must be entered. Note: Using the encryption option has one advantage over using the HTTPS option alone. When HTTPS is enabled, the ECP can authenticate the controllers certicate, but the controller does not ask the client to provide one. Consequently, HTTPS does not prevent unauthorized users from sending messages to the session control interface. Because the encryption option is based on a shared key, the encryption provides a form of authentication. If the controller can decrypt the payload of a session control message, then it is has reason to believe the message came from the external captive portal. raft Type the password common to both the controller and the external web server if you want to encrypt the information passed between the controller and the external web server. If encryption is enabled then a shared key must be entered. A shared key is a string that both the controller and the ECP use to encrypt and decrypt session control messages. The shared key must be between 16 and 64 characters long. For better security, use a long key composed of randomly selected characters. The Redirection URL eld contains the URL to which the controller will redirect all blocked, unauthenticated HTTP traffic on this WLAN Service, or traffic that has been explicitly congured for redirection, depending on your conguration. This should be the URL of the page that will prompt the user to authenticate. If using host name rules, the redirection url can be the congured host name. The redirected browser will issue a get to the ECP for this URL. The Redirection URL:

Can begin with http:// or https://. Must end with a ? or &. Use & if the base URL contains some query strings. Shared Secret Redirection URL Note: The Redirection URL does not support IPv6. ExtremeWireless V10.41.06 User Guide 352 Conguring WLAN Services Table 60: External Captive Portal Page - Fields and Buttons (continued) FField/Button Description Add EWC IP & Port to redirection URL The Add HWC IP & Port to redirection URL option is useful if the external captive portal serves more than one controller. An ECP must send its session control messages to the controller hosting the controlled session. If an ECP serves more than one controller, then the Add HWC IP & Port to redirection URL option must be used to identify the source of the redirection. The ECP should store the controller address and port with the token and other session details so that it is available throughout the authentication process. Special ToS override for NAC Related Links Allows for ToS marking results in redirection to a captive portal via a NAC server. Close Cancel D Click to discard the congurationDDNote Click to save your changes and close this page. Conguring Basic Captive Portal Settings on page 349 Policy Rules on page 288 You must add a role rule to the non-authenticated lter that allows access to the external Captive Portal site. For more information, see Policy Rules on page 288. raft The Congure button is enabled. for Authentication on page 340. From the AAuth & Account tab, in the Mode eld, select Firewall Friendly External . 3 Congure RADIUS servers for authentication. For more information, see Assigning RADIUS Servers This task describes how to congure a Firewall Friendly External Captive Portal. 1 2 Click Save. Conguring Firewall Friendly External Captive Portal ExtremeWireless V10.41.06 User Guide 353 Conguring WLAN Services 4 Click Congure. Figure 110: Conguring Firewall Friendly External Captive Portal ExtremeWireless V10.41.06 User Guide 3354 Conguring WLAN Services ExtremeWireless offers a scalable external captive portal (ECP) solution on the AP that can be managed locally or through a Cloud solution, in addition to the controller based ECP. The following table illustrates the WLAN redirection conguration options for the AP and the controller. Each setting is identied as mandatory or optional for redirection on the AP or on the controller. For more information about conguring ECP on an AP, see Conguring a Captive Portal on an AP on page 222. Table 61: Firewall Friendly External Captive Portal FField/Button Description Redirect to External Captive Portal Redirection at the AP Redirection at the Controller Identity Type the name common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. D Shared Secret Optional Mandatory Required for signing the redirected URL. If you do not congure the Identity, the redirector on the AP drops the traffic. Redirection URL EWC IP and Port Optional Mandatory Type the URL to which the wireless device user will be directed to after authentication. Mandatory Required for signing the redirected URL. If you do not congure the Shared Secret, the redirector on the AP drops the traffic. Type the password common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. raft Note: Ensure the request does not exceed the browser character limit. Older browsers limit requests to 255 characters. Newer browsers allow up to 2048 characters. The Redirection URL does not support IPv6. IP address and Port number Mandatory Mandatory By default, this option is enabled. The IP address and port of the AP are always URL parameters. A deployment will have multiple APs. The IP address and port communicate to the External Captive Portal through the client, identifying which AP is redirecting the client. Optional This option is not required when the deployment includes only one controller. However, we recommend enabling this option when the deployment includes multiple controllers. ExtremeWireless V10.41.06 User Guide 355 Conguring WLAN Services Redirection at the Controller Optional You can enable this setting if the deployment uses a single controller. Optional Optional N/A AP has this information locally. N/A AP has this information locally. Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Replace EWC IP with EWC FQDN Use controller's Fully-Qualied Domain Name instead of IP address. Not supported AP Name and Serial Number Name and Serial Number of AP AP Ethernet MAC MAC address of the AP AP Location D Text string used to describe physical AP location. Associated BSSID of AP Associated BSSID Optional Optional Optional Optional Virtualized Network Service Name N/A AP has this information locally. raft Optional For non-site deployments, the VNS Name is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. N/A AP has this information locally. N/A AP has this information locally. Media Access Control Address Service Set Identier Optional Optional Optional VNS Name SSID Station MAC Address Currently Assigned Role Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. ExtremeWireless V10.41.06 User Guide 356 Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Containment VLAN of Assigned Role Conguring WLAN Services Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. Redirection at the Controller Optional Optional Signature Timestamp D Timestamp (in UTC) Mandatory The timestamp (in UTC) is always included, because it prevents replay attacks of a recorded redirected URL. The AP must have access to UTC time, which is provided by the controller. raft Optional Signature is included when full authentication is employed. If conguring a RADIUS authentication server, clear the Signature check box. The Signature option is the ag that indicates how authentication is achieved. Optional Optional Redirect From External Captive Portal Use HTTPS for Users Connections Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.15 and later. Optional The AP presents a self-

signed certicate that triggers a warning page in most browsers. The AP does not support installing signed certicates from a trusted certicate authority. ExtremeWireless V10.41.06 User Guide 357 Conguring WLAN Services Redirection at the Controller Optional The session management page does include a button to terminate the users session. Mandatory The session management page can contain a link to the original URL that was served when it was redirected. The session management page includes a button to terminate the users session. The only way the client can come directly to this page is by replaying the redirection URL from the External Captive Portal within the grace period measured by the timestamp. Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Send Successful Login to:

Select the IP address of the external Web server, and then enter the port of the controller. D View Sample Displays an example format of the redirection URL that the controller/AP expects to receive (indirectly) from the ECP. If the WLAN Service is part of a VNS or has a default topology, then the server portion of the URL contains the IP address of the controller/AP. The query string is populated with realistic but ctional data. This information is provided to assist in developing the ECP program. raft ExtremeWireless V10.41.06 User Guide 358 CConguring Internal Captive Portal and Guest Splash Conguring WLAN Services D Figure 111: Captive Portal Page Conguration Page for Internal and Guest Splash Modes Table 62: Captive Portal Page Conguration Page for Internal and Guest Splash Modes - Fields and Buttons Field/Button Description raft Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.01 and later. Click to congure error messages that may display on the internal captive portal page. The Message Conguration page displays. See Conguring Error Messages on page 363. Type the appropriate name if a Fully Qualied Domain Name (FQDN) is used as the gateway address. Message Conguration Congure Communication Options Use HTTPS for Users Connections Replace Gateway IP with FDQN Send Successful Login To:

Manual Settings Select this option if you want to manually dene the elements on the Captive Portal page. When you select this option, you enable the Launch Captive Portal Editor button. ExtremeWireless V10.41.06 User Guide 359 Conguring WLAN Services Table 62: Captive Portal Page Conguration Page for Internal and Guest Splash Modes - Fields and Buttons (continued) FField/Button Description Use Zip File Select this option to upload a zip le that contains custom Captive Portal content. The zip le you upload must have a at structure it cannot contain any sub-directories. The contents of the zip must adhere to the following le formats:

Content to be used in the captive portal login page must be in a Content to be used in the captive portal index page must be in a le named login.htm le named index.htm. The number of graphics and the size of the graphics is unlimited, and can be either .gif, .jpg, or .png. Click the Browse button and navigate to the zip le to use for setting up the captive portal. Upload Zip File D View Sample Login Page View Sample Index Page Download Launch Captive Portal Editor Click to view the sample login page for this captive portal. Click to view the sample index page for this captive portal. Click to download the specied zip le. The File Download page displays. Click to launch the Captive Portal Editor. Using the Captive Portal Editor, you can congure the elements on the captive portal page. This button becomes available when you select the Manual Setting radio button. raft Click to discard your conguration changes and close this page. Note You must congure a Guest Portal before Guest Portal appears as a Captive Portal option. Only one WLAN Service can be congured for Guest Portal on a VNS. Click to save your changes and close this page. Close Cancel Conguring Guest Portal ExtremeWireless V10.41.06 User Guide 360 Conguring WLAN Services aftFigure 112: Captive Portal Page for Guest Portal Mode Table 63: Congure Internal Captive Portal Page - Fields and Buttons FField/Button Click to add and congure guest user accounts. The Manage Guest Users page displays. For information about adding and managing guest users, see Working with GuestPortal Administration on page 690. Guest Portal - this section becomes available only when conguring a Guest Portal. Manage Guest Users Description Congure Ticket Page Congure Password Generator Click to congure the guest portal ticket. The Congure ticket page displays. For information about how to congure and activate guest portal ticket pages, see Working with GuestPortal Administration on page 690. Click to congure the guest password. The Congure Password Generator page displays. For information about how to congure and activate guest passwords, see Conguring Guest Password Patterns on page 701 ExtremeWireless V10.41.06 User Guide 361 Conguring WLAN Services Table 63: Congure Internal Captive Portal Page - Fields and Buttons (continued) FField/Button Description Account Lifetime Guest Admin Can Set Account Lifetime Maximum Session Lifetime User ID Prex Type the account lifetime, in days, for the guest account. A value of 0 species no limit to the account lifetime. Select to enable the guest administrator to set the amount of time for which this account will be active. Type the maximum session lifetime, in hours, for the guest account. The default 0 value does not limit a session lifetime. The session lifetime is the allowed cumulative total in hours spent on the network during the account lifetime. Type a prex that will be added to all guest account user IDs. The default is Guest. Type a minimum password length that will be applied to all guest accounts. Minimum Password Length D Message Conguration Congure Communication Options Use HTTPS for Users Connections Replace Gateway IP with FDQN Send Successful Login To:

Manual Settings Use Zip File Type the appropriate name if a Fully Qualied Domain Name (FQDN) is used as the gateway address. Click to congure error messages that may display on the internal captive portal page. The Message Conguration page displays. See Conguring Error Messages on page 363. Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.01 and later. raft Select this option to upload a zip le that contains custom Captive Portal content. The zip le you upload must have a at structure it cannot contain any sub-directories. The contents of the zip must adhere to the following le formats:

Content to be used in the captive portal login page must be in a Select this option if you want to manually dene the elements on the Captive Portal page. When you select this option, you enable the Launch Captive Portal Editor button. Content to be used in the captive portal index page must be in a le named login.htm le named index.htm. The number of graphics and the size of the graphics is unlimited, and can be either .gif, .jpg, or .png. Upload Zip File View Sample Login Page View Sample Index Page Download Click the Browse button and navigate to the zip le to use for setting up the captive portal. Click to view the sample login page for this captive portal. Click to view the sample index page for this captive portal. Click to download the specied zip le. The File Download page displays. ExtremeWireless V10.41.06 User Guide 362 Conguring WLAN Services Table 63: Congure Internal Captive Portal Page - Fields and Buttons (continued) FField/Button Description Launch Captive Portal Editor Close Cancel Conguring Error Messages Click to launch the Captive Portal Editor. Using the Captive Portal Editor, you can congure the elements on the captive portal page. This button becomes available when you select the Manual Setting radio button. Click to save your changes and close this page. Click to discard your conguration changes and close this page. You can congure informational and error messages that a user may encounter when trying to access a captive portal. To congure error and informational messages:

D From the top menu, click VNS. conguration page is displayed. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services 3 Click the AAuth & Acct tab. 4 In the Authentication Mode drop-down list, select a Captive Portal option. 5 Click Congure. The CCaptive Portal Conguration page displays. raft ExtremeWireless V10.41.06 User Guide 363 Conguring WLAN Services 6 In the Message Conguration section, click the Congure button. The MMessage Conguration page displays. For information about the Message Conguration elds, see Understanding the Message Conguration Page on page 364. Understanding the Message Conguration Page Table 64: Message Conguration Page - Fields and Buttons Field/Button Description raft Enter a message indicating that the user entered an invalid username or password combination. Enter a message to indicate when a user successfully logs in. Enter an error message that indicates the a user login was unsuccessful. Enter a message indicating an internal error. Enter an error message indicating that the user authentication timed out. Invalid Success Access Fail Fail Timeout RADIUS shared secret security key fail Enter an error message indicating that RADIUS shared secret failed. RADIUS internal error Max RADIUS login fail Enter an error message indicating an internal RADIUS client error Enter a message that indicates that the maximum number of simultaneous captive portal logins have been reached. ExtremeWireless V10.41.06 User Guide 364 Conguring WLAN Services Table 64: Message Conguration Page - Fields and Buttons (continued) FField/Button Description Invalid Login parameters Enter a message indicating that the user entered an invalid username or password combination. General failure Enter a message indicating that a general failure has occurred. Invalid third party parameters Enter an error message indicating that one or more parameters passed from the external captive portal server to the controller is either invalid or missing. Authentication in progress fail Enter a message indicating that the user credentials were not authenticated. Topology Change Enter an error message indicating that the topology failed. Close Cancel D Using the Captive Portal Editor Click to save your changes and close this page. Click to discard your conguration changes and close this page. To congure the editor:

conguration page displays. From the top menu, click VNS. The Captive Portal Editor enables you to congure the look and feel of a captive portal page. 1 2 In the left pane expand WLAN Services, then select the WLAN Service. The WWLAN Services 3 Click the AAuth & Acct tab. The AAuth & Accounting page displays. 4 In the Authentication Mode drop-down list, select a Captive Portal option. 5 Click Congure. The CCaptive Portal Conguration page displays. 6 In the Communications Options section, select Manual Settings and then click Launch Captive raft Note The Captive Portal Editor page supports only one administrator editing a captive portal page at one time. Portal Editor. For more information see Table 65 on page 367. ExtremeWireless V10.41.06 User Guide 365 Conguring WLAN Services aftCCaution In order for Captive Portal authentication to be successful, all the URLs referenced in the Captive Portal setup must also be specically identied and allowed in the non-authenticated lter. For more information, see Policy Rules on page 288. Caution If you use logos or graphics, ensure that the graphics or logos are appropriately sized. Large graphics or logos may force the login section out of view. Understanding the Captive Portal Editor ExtremeWireless V10.41.06 User Guide 366 Conguring WLAN Services Table 65: Captive Portal Editor - Fields and Buttons FField/Button Description Login Page tab Click to view and congure the elements that will display on the Captive Portal login page. By default, widgets for a Login username and Password, as well as an Accept button are congured by default. You can accept or change these widgets using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-

hand pane on this page you can:

congure the background colors and forms add graphics add an external cascading style sheet (.css) VSA attributes Index Page Tab D page, allowing users to control their logoff. add an external cascading style sheet (.css) Click to view and congure the elements that will display on the Captive Portal Index page. Using the Captive Portal Editor widget management tools in the right-hand pane on this page you can:

congure the background colors and forms add graphics add a Logoff button. The Logoff button launches a pop-up logoff add a Status Check button The Status check button launches a pop-up window, which allows users to monitor session statistics such as system usage and time left in a session. raft Click to view and congure the elements that will display on the Captive Portal Topology change page. By default, a login conrmation and informational message, as well as a Close button, are precongured. You can accept or change these elements using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-

hand pane on this page you can:

congure the background colors and forms add graphics add an external cascading style sheet (.css) Select to cache most of the widgets from the design to rescue the amount of time it takes a captive portal page to load. Topology Change Tab Design Management Cached Preview Close Save Save&Close Data Management Import Select to view the way the congured widgets will display to a user. Select to close this page without saving the conguration. Select to save the conguration changes. Select to save the conguration changes and close this window. Select and click Browse to navigate to the directory and lename of the a conguration that you want to import. Click OK to import the conguration. ExtremeWireless V10.41.06 User Guide 367 Conguring WLAN Services Table 65: Captive Portal Editor - Fields and Buttons (continued) FField/Button Description Export Select to save this conguration and enter the name of the le you want to save it in. Click the Browse button to navigate to a directory where you want to store the conguration le. Click OK to save the conguration. Widget Management Use the elds in this section to congure the widgets. Graphics Background External CSS Click to locate and upload a graphic. The graphic becomes available in the SShow Images section of the Property Editor. Click to congure the background color of the page Click to identify a cascading style sheet (.css) that will determine the page format. Session Variables D Use the elds in this section to add the congured widgets to the page. Click to congure the following VSA attributes:

AP Serial AP Name VNS Name SSID MAC Address The selections inuence what URL is returned in either section. For example, wireless users can be identied by which AP or which VNS they are associated with, and can be presented with a Captive Portal Web page that is customized for those identiers. raft Select to add a Header attribute to the panel. Use the Property Editor to determine the size and position of the Header attribute, the conditions under which it displays, and identify the link and type of Header attribute to include. Select to add a graphic to the page. Use the Property Editor select a precongured graphic, and to determine the size and location of the graphic. Select to add text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays. Use the Property Editor to determine the size and position of the Header attribute and the conditions under which it displays, select a Display Option, and select a type of VSA. Add Widget to Panel Graphic Text Header Session Variables External HTML Text (Scrollable) Footer Select to add an external HTML link to the page. Use the Property Editor select a precongured graphic, and to determine the size and location of the graphic Select to add scrollable text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays. Select to add a Footer attribute to the panel. Use the Property Editor to determine the size and position of the Footer attribute, the conditions under which it displays, and identify the link and type of Footer attribute to include. ExtremeWireless V10.41.06 User Guide 368 Conguring WLAN Services Dening Priority Level and Service Class Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks are enabling the integration of internet telephony technology on wireless networks. Various issues including Quality-of-Service

(QoS), call control, network capacity, and network architecture are factors in VoIP over 802.11 WLANs. Wireless voice data requires a constant transmission rate and must be delivered within a time limit. This type of data is called isochronous data. This requirement for isochronous data is in contradiction to the concepts in the 802.11 standard that allow for data packets to wait their turn to avoid data collisions. Regular traffic on a wireless network is an asynchronous process in which data streams are broken up by random intervals. multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. To reconcile the needs of isochronous data, mechanisms are added to the network that give voice data traffic or another traffic type priority over all other traffic, and allow for continuous transmission of data. D To provide better network traffic ow, the controller provides advanced Quality of Service (QoS) management. These management techniques include:

WMM (Wi-Fi Multimedia) Enabled on individual WLAN Services, is a standard that provides IP ToS (Type of Service) or DSCP (Diffserv Codepoint) The ToS/DSCP eld in the IP header of a frame is used to indicate the priority and Quality of Service for each frame. Adaptive QoS ensures correct priority handling of client payload packets tunneled between the controller and AP by copying the IP ToS/DSCP setting from client packet to the header of the encapsulating tunnel packet. raft Service class is determined by the combination of the following operations:

The class of treatment given to a packet. For example, queuing or per hop behavior (PHB). The packet marking of the output packets (user traffic and/or transport). Table 66: Service Classes SService class name (number) 7 (highest priority) Priority level Dening the Service Class Network Control (7) Premium (Voice) (6) Platinum (video) (5) Gold (4) Silver (3) Bronze (2) Best Effort (1) Background (0) 6 5 4 3 2 1 0 (lowest priority) The service class is equivalent to the 802.1D UP (user priority). ExtremeWireless V10.41.06 User Guide 369 Table 67: Relationship Between Service Class and 802.1D UP SSC name 802.1d UP SC Value AC Network Control Premium (voice) Platinum (video) Gold Silver Bronze Best Effort 7 6 5 4 3 2 1 7 6 5 4 3 0 2 Conguring WLAN Services Queue VO or TVO VO or TVO VI VI BE BE BK BK VO VO VI VI BE BE BK BK Background 0 1 D Conguring the Priority Override Conguring QoS Modes Priority override allows you to dene and force the traffic to a desired priority level. Priority override can be used with any combination, as displayed in Table 67 on page 370. You can congure the service class and the DSCP values. When Priority Override is enabled, the congured service class overrides the queue selection in the inbound and outbound directions, the 802.1P UP for the WLAN tagged Ethernet packets, and the UP for the wireless QoS packets (WMM or 802.11e) according to the mapping in Table 66 on page 369. If Priority Override is enabled and the VNS is not locally bridged, the congured DSCP value is used to tag the IP header of the encapsulated packets. The AP does not override the DSCP in the IP header of the user packet. raft outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. 802.11e If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all 802.11e clients. The 802.11e clients will also classify and prioritize the inbound traffic. You can enable the following QoS modes for a WLAN Service:

WMM If enabled, the AP will accept WMM client associations, and will classify and prioritize the Turbo Voice If any of the above QoS modes are enabled, the Turbo Voice mode is available. If enabled, all the out traffic that is classied to the Voice (VO) AC and belongs to that VNS is transmitted by the AP via a queue called Turbo Voice (TVO) instead of the normal Voice (VO) queue. The TVO queue is tailored in terms of contention parameters and number of retries to maximize voice quality and voice capacity. U-APSD Unscheduled Automatic Power Save Delivery feature works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM and 802.11e are disabled. The APs are capable of supporting ve queues. The queues are implemented per radio; for example, ve queues per radio. The queues are:

ExtremeWireless V10.41.06 User Guide 370 Conguring WLAN Services Table 68: Queues QQueue Name AC_VO AC_VI AC_BK AC_BE AC_TVO Purpose Voice Video Background Best Effort Turbo Voice The controller supports the denition of 8 levels of user priority (UP). These priority levels are mapped at the AP to the best appropriate access class. Of the 8 levels of user priority, 6 are considered low priority levels and 2 are considered high priority levels. WMM clients have the same 4 AC queues. WMM clients will classify the traffic and use these queues when they are associated with a WMM-enabled AP. WMM clients will behave like non-WMM clients map all traffic to the Best Effort (BE) queuewhen not associated with WMM-enabled AP. D The prioritization of the traffic on the downstream (for example, from wired to wireless) and on the upstream (for example, from wireless to wired) is dictated by the conguration of the WLAN Service and the QoS tagging within the packets, as set by the wireless devices and the host devices on the wired network. Both Layer 3 tagging (DSCP) and Layer 2 (802.1d) tagging are supported, and the mapping conforms with the WMM specication. If both L2 and L3 priority tags are available, then both are taken into account and the chosen AC is the highest resulting from L2. If only one of the priority tags is present, it is used to select the queue. If none is present, the default queue AC_BE is chosen. raft Note If the wireless packets to be transmitted must include the L2 priority (send to a WMM client from a WMM-enabled AP), the outbound L2 priority is copied from the inbound L2 priority if available, or it is inferred from the L3 priority using the above table if the L2 inbound priority is missing. Table 69: Traffic Prioritization VNS type Packet Source Packet type Untagged Wired Yes No L3 L2 Wired VLAN tagged Yes Yes Wired Wireless Wireless Untagged WMM non-WMM No Yes No Yes Yes Yes Tunneled Branch Branch Branch or Tunneled Branch or Tunneled To congure QoS Role:

From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. ExtremeWireless V10.41.06 User Guide 371 Conguring WLAN Services 3 Click the QQoS tab. D Figure 113: Conguring QoS raft ExtremeWireless V10.41.06 User Guide 372 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons FField/Button Description Wireless QoS D Admission Control From the Wireless QoS list, do the following:

WMM Select to enable the AP to accept WMM client associations, and classify and prioritize the outbound traffic for all WMM clients. Note that WMM clients will also classify and prioritize the inbound traffic. WMM is part of the 802.11e standard for QoS. If selected, the Turbo Voice and Enable U-APSD options are displayed. 802.11e Select to enable the AP to accept WMM client associations, and classify and prioritize the outbound traffic for all 802.11e clients. The 802.11e clients will also classify and prioritize the inbound traffic. If selected, the Turbo Voice and the Enable U-APSD options are displayed:

Turbo Voice Select to enable all out traffic that is classied to the Voice (VO) AC and belongs to that VNS to be transmitted by the AP via a queue called Turbo Voice (TVO) instead of the normal Voice (VO) queue. When Turbo Voice is enabled together with WMM or 802.11e, the WMM and/or 802.11e clients in that VNS are instructed by the AP to transmit all traffic classied to VO AC with special contention parameters tailored to maximize voice performance and capacity. Enable U-APSD Select to enable the Unscheduled Automatic Power Save Delivery (U-APSD) feature. This feature can be used by mobile devices to efficiently sustain one or more real-time streams while being in power-save mode. This feature works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM and 802.11e are disabled. raft From the Admission Control list, do the following:

Use Global Admission Control for Voice (VO) - Select to enable admission control for Voice. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands. For more information, see VNS Global Settings on page 392. Use Global Admission Control for Video (VI) - This feature is only available if admission control is enabled for Voice. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands.Select to provide distinct thresholds for VI (video). For more information, see VNS Global Settings on page 392. Use Global Admission Control for Best Effort (BE) - If the client does not support admission control for the access category that requires admission control, the traffic category will be downgraded to lower access category that does not have Mandatory Admission control. For example, if admission control is required for video, and client does not support admission control for video, traffic will be downgraded to Best Effort (BE). ExtremeWireless V10.41.06 User Guide 373 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons (continued) FField/Button Description For more information, see VNS Global Settings on page 392. Use Global Admission Control for Background (BK)-

This feature is only available if admission control is enabled for Background. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands. For more information, see VNS Global Settings on page 392. Flexible Client Access D Advanced button Priority Processing Select the check box to enable exible client access. Flexible client access levels are set as part of the VNS global settings. Note: TSPEC must be disabled when using Flexible Client Access. Select this check box to force DSCP and a service class. raft Note: When Priority Override is enabled, the congured service class forces queue selection in the outbound direction, the 802.1P user priority for the VLAN tagged Ethernet packets and the user priority for the wireless QoS packets (WMM or 802.11e), according to the mapping between service class and user priority. If Priority Override is enabled and the VNS is not locally bridged, the congured DSCP value is used to tag the IP header of the encapsulated packets. The AP does not override the DSCP in the IP header of the user packet. From the drop-down list, click the DSCP value used to tag the IP header of the encapsulated packets. For more information, seeDening the DSCP and Service Classications on page 375. Select one of the following service classes:

Network control (7) The highest priority level. Premium (Voice) (6) Platinum (5) Gold (4) Silver (3) Bronze (2) Best Effort (1) Background (0) The lowest priority level Priority Override DSCP Service Class Note: If you want to assign a service class to each DSCP marking, clear the Priority Override check box and dene the DSCP service class priorities in the DSCP classication table. ExtremeWireless V10.41.06 User Guide 374 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons (continued) FField/Button Description Advanced Wireless QoS options

(Options are only displayed if the WMM or 802.11e check boxes are selected) UL Policer Action If Use Global Admission Control for Voice (VO) or Use Global Admission Control for Video (VI) is enabled, click the action you want the AP to take when TSPEC violations occurring on the inbound direction are discovered:

Do nothing Click to allow TSPEC violations to continue when they are discovered. Data transmissions will continue and no action is taken against the violating transmissions. Send DELTS to Client Click to end TSPEC violations when it they are discovered. This action deletes the TSPEC. D DL Policier Action If Use Global Admission Control for Voice (VO) or Use Global Admission Control for Video (VI) is enabled, click the action you want the AP to take when TSPEC violations occurring on the outbound direction are discovered:

Do nothing Click to allow TSPEC violations to continue when they are discovered. Data transmissions will continue and no action is taken against the violating transmissions. Downgrade Click to force the transmissions data packets to be downgraded to the next priority when a TSPEC violation is discovered. Drop Click to force the transmissions data packets to be dropped when a TSPEC violation is discovered. raft All 64 DSCP code-points are supported. The IETF dened codes are listed by name and code. Undened codes are listed by code. The following is the default DSCP service class classication (where SC is Service Class and UP is User Priority):

Dening the DSCP and Service Classications To dene the DSCP and Service Class classications:

Table 71: DSCP Code-Points DSCP SC/UP CS0/DE CS1 CS2 CS3 CS4 CS5 2/0 0/1 1/2 3/3 4/4 5/5 DSCP AF11 AF12 AF13 AF21 AF22 AF23 SC/UP 2/0 2/0 2/0 3/3 3/3 3/3 DSCP AF33 AF41 AF42 AF43 EF Others SC/UP 4/4 5/5 5/5 5/5 6/6 0/1 ExtremeWireless V10.41.06 User Guide 375 Conguring WLAN Services DSCP SC/UP SC/UP 4/4 4/4 Table 71: DSCP Code-Points (continued) DDSCP SC/UP DSCP CS6 CS7 6/6 7/7 AF31 AF32 Conguring Hotspots Traditionally, using a hotspot presents end users with several challenges, including initial connection issues, security concerns, and connectivity while roaming. The ExtremeWireless solution offers the following features to improve the hotspot end-user experience:

Pre-association network discovery and selection using the dot11u ANQP protocol, resulting in a Simplied account registration. Network administrators create accounts easily, and provisioning is seamless initial connection. D achieved without user input. Enhanced security, using over the air transmission secured by WPAv2. Each hotspot WLAN has its own Access Network Query Protocol (ANQP) conguration. The HESSID and ANQP Domain ID are specic to the hotspot WLAN. With pre-association, a mobile device uses ANQP to perform network discovery. The mobile device's connection manager uses hotspot information, such as the service provider policy and user preferences, to automatically select a hotspot network. A mobile device queries the hotspot for key service provider identication and authentication information and selects a network. The ANQP response is generated using parameters congured by the hotspot operator. raft Only one hotspot WLAN can be assigned to an AP and to a specic site conguration. The hotspot WLAN can refer to a single Online Signup (OSU) WLAN, which can be open or encrypted. Network operators dene the lter policy during hotspot conguration. From the top menu, click VNS. Then, in the left pane, select WLAN Services. The WWLAN Services window displays. Congure hotspots under the WLAN Services workbench. To congure a hotspot:

1 Conguring a New Hotspot 2 Click New to congure a new WLAN service. 3 Provide the service Name, Service Type, and SSID. ExtremeWireless V10.41.06 User Guide 376 Conguring WLAN Services 4 Select the Hotspot option. Valid values are:

Disabled. Hotspot functionality is not enabled. Enabled. Hotspots are enabled for this WLAN and the Hotspot tab appears on the WLAN page. Privacy is set by default to WPA and Mandatory Frame Protection (MFP) is enable. The authentication method is set to AAA with External Radius Server;. You can congure MBA, if required . OSU. Allows the denition of Online Sign Up or OSEN WLAN. NNote Congure the policy and topology assigned to the OSU WLAN to allow access only to the OSU server. No access to the internet. D DNote 5 Select the Hotspot tab. Once you have dened a WLAN service with a hotspot, you cannot disable the hotspot. You can only delete the WLAN service and recreate it. Figure 114: Hotspot Conguration ExtremeWireless V10.41.06 User Guide 377 Conguring WLAN Services Table 72: WLAN Services Hotspot Tab - Fields and Buttons FField/Button Description HESSID One SSID can be used across multiple WLANs (BSS), so the HESSID helps a client identify when the BSSID belongs to a homogenous BSS with identical conguration. Beacon with same {HESSID, SSID} pair belong to same WLAN. The {HESSID, SSID} pair must be unique for each WLAN. By default, the HESSID is set to the MAC address of the controller Ethernet port. Hotspots can have the same HESSID as long as the SSID is unique. If opting to congure the HESSID manually, we recommend using an AP BSSID as the HESSID. Note: In a mobility domain, manually congure the HESSID to a unique value, differentiating it from the value used in the controller's WLAN. D Access Network accounts. network providing guest access. anyone but access requires payment. Free public network. Open network, free of Chargeable public network. (Default) Open to Private network with guest access. An enterprise Identies the type of network. Valid values are:

Private network. An enterprise network with user charge but may still require acceptance of terms of use (and may involve OSU servers with captive portal). raft Downstream Group-Address Forwarding Disabled. By default this option is checked. When checked, the AP is not forwarding downstream group-addressed frames. This is a list of one or more domain names of the entity operating the hotspot network. Domain names in the domain name list may contain sub-domains. If the service provider's FQDN is not in the domain name list but is in the realm list, then a mobile device that chooses that service provider is considered to be roaming. Domain. FQDN specied by the user. Default value is empty string. DGAF Disabled 6 From the Hotspot Identication tab, congure the following parameters:

Venue Info. Describes the venue. Select from a list of predened values:

Select a description of the venue group in the rst eld. 1 2 Select a value from the second eld. Note The second eld is not populated with values until after you select a value from the rst eld. Default value is Unspecied. ExtremeWireless V10.41.06 User Guide 378 Conguring WLAN Services 7 You can congure up to four languages for each venue. Click the plus sign. A conguration dialog displays. Figure 115: Hotspot Identication Tab D raft Describe the venue where the hotspot is located. If there are multiple hotspot APs in one venue, use the same venue name. However, when one hotspot covers multiple venues, you can list multiple venues here even though they may share a single service set identier (SSID). Select a language preference, specifying the venue name and operator name, and click OK. Figure 116: Conguring Operator and Venue List venue names in multiple languages. The mobile device selects the language that is used to display information to the user. The mobile device can obtain venue name information through an ANQP query, which can help the user when they are manually selecting a hotspot. The mobile device implementation determines if the venue name information is displayed. ExtremeWireless V10.41.06 User Guide 3379 Conguring WLAN Services 8 To remove a language row from the Venue list, select the check box in the list row and click the minus sign. Figure 117: Removing a Venue D 9 To edit a list row, click the list row. In the resulting dialog, modify the values and click OK. 10 Click Save to save the conguration. SP Identication Tab The hotspot SP identication tab displays hotspot properties for service provider identication and authentication. raf To congure SP Identication for the hotspot:

376. 2 Select the SP Identication tab. 1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page Figure 118: Service Provider Identication ExtremeWireless V10.41.06 User Guide 3380 Conguring WLAN Services 3 Congure the following parameters:

NAI Realm. The the NAI (Network Access Identication) Realms list is a FQDN of the service provider. This is a list of realms that can be successfully authenticated. Each realm may have up to 8 supported EAP methods. Click the plus sign to add realms and select the EAP Method. Then, click OK. Congure an NAI Realm list for each hotspot as follows:

Add all realms that can authenticate a mobile devices logon credentials or certicate credentials, including the realms of all roaming partners that are accessible from the hotspot AP. Include the realm of the home SP. Add a realm for the PLMN ID. This is the cellular network identity based on public land mobile network (PLMN) information. See Figure 120 on page 382. You can congure the EAP method list to support devices that do not know the EAP methods If the device has been provisioned with the home service provider, the device does not need to use the EAP methods in the NAI Realm List. The mobile device knows the EAP method required to that are being used by a given service provider. D authenticate against its home service provider and automatically uses it.DDNNote Keep your DNS server records up to date so that mobile devices can resolve the server domain names (FQDN). ra Figure 119: Realm Conguration Mobile devices with a SIM or USIM credential, can obtain a realm from the hotspot NAI Realm list. While 3GPP credentials are usually used to access a hotspot, a targeted NAI home query is an efficient alternative approach. The device's connection manager compares the realm information in the list to the information that is stored on the device. The connection manager uses the mobile ExtremeWireless V10.41.06 User Guide 381 Conguring WLAN Services devices precongured user preferences and policy to make a decision between a hotspot AP or a non-hotspot AP, if both are available. Roaming Consortium.To congure authentication of mobile devices to the members of a roaming consortium, or to a particular SP that has a roaming consortium, add the appropriate IEEE-assigned Organizational Identier (OI) here. Specify two identiers unique to the organization that are part of the MAC address. Use roaming consortium authentication when you do not know all the authenticated realms. Using identiers unique to the organization in the beacon is a battery efficient roaming method because there are no ANQP queries needed. 3GPP Cellular Network. This is a list of cellular network IDs in the form of mobile country code, mobile network code (MCC, MNC). This list establishes whether an AP has a roaming arrangement with the 3GPP service providers. Click the plus sign to add mobile country code, mobile network code (MCC, MNC) values. Then, click OK. D raft The hotspot Network Characteristics tab displays network parameters for the hotspot. To congure Network Characteristics for the hotspot:

1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. Figure 120: 3GPP Cellular Network Conguration 4 Click Save to save the conguration. Network Characteristics Tab ExtremeWireless V10.41.06 User Guide 3382 Conguring WLAN Services 2 Select the NNetwork Characteristics tab. D 3 Congure the following parameters:

Figure 121: Conguring Network Characteristics IP Address Type Availability. The mobile device uses the IP Address Type Availability information to make network selection decisions. Select the level of restriction for each network type. Levels of restriction range from Public Address Available to Port Restricted and Double NATed Private Address Available. raft The mobile device uses information from the WAN Metrics congured here to make network selection decisions. The mobile device can determine if necessary throughput is available from the hotspot before connecting. If the mobile device receives indication that the basic service set (BSS) is at capacity, the device will not associate with that AP. Connection Capability. The mobile device uses connection capability information to make network selection decisions by determining which services are blocked or supported at the hotspot. Congure up to 16 ports. To add a protocol, click the plus sign. Specify the protocol, the port number, and the status WLAN Metrics. Enter the values for maximum Uplink and Downlink speed and load parameters for the WLAN service. associated with the protocol. Valid Status values include: Closed, Open, or Unknown. Note Make an effort to congure all ports and do not rely on the Unknown value. ExtremeWireless V10.41.06 User Guide 383 Conguring WLAN Services To remove a port from the Connection Capability list, select the check box in the list row and click Figure 122: Conguring Connection Capability D the minus sign. Figure 123: Removing a Connection Port To edit a port, click the list row. In the resulting dialog, modify the values and click OK. raft The hotspot OOnline Signup tab displays hotspot properties for Online Signup users. Online Signup allows users who are not part of the provider network to manually connect to the hotspot. It also allows for added security for users who want to connect anonymously. To congure Online Signup for the hotspot:

4 Click Save. Online Signup Tab 1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. ExtremeWireless V10.41.06 User Guide 384 Conguring WLAN Services 2 Select the Online Signup tab. D 3 Congure the following parameters:

Conditions. Figure 124: Conguring Online Signup Network Authentication Type. Possible values for network authentication are:

Acceptance of terms and conditions. Redirection is accomplished after user accepts Terms and Http/Https redirection. Redirect Http or Https automatically. Online enrollment supported. Authentication supports online enrollment. DNS redirection. DNS redirection serves a web page other than what the end user had requested. raft To remove a provider from the list, select the check box in the list row and click the minus sign. To edit provider information, click the list row. In the resulting dialog, modify the values and click Server Provider Setting. This is service provider conguration settings. To add a provider to the list, click the plus sign and congure the provider settings. For more OSU WLAN. This is the address of the Online Signup WLAN. When you created the hotspot, you specied OSU in step 1 above. The OSU WLAN can be either Open or Encrypted (OSEN). information, see Conguring the OSU Service Provider on page 385. OK. For more information, see Conguring the OSU Service Provider on page 385. 4 Click Save to save the conguration. CConguring the OSU Service Provider Hotspot conguration supports Online Signup. This task outlines how to create a list of service providers that support Online Signup. Take the following steps to congure an Online Signup service provider:

1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. ExtremeWireless V10.41.06 User Guide 385 Conguring WLAN Services 2 From the WLAN Services Hotspot tab, select the OOnline Signup tab. D Figure 125: Online Signup Tab raft ExtremeWireless V10.41.06 User Guide 386 Conguring WLAN Services 3 In the Service Provider Setting pane, select the plus sign. The OOSU SP Conguration dialog appears. t Figure 126: Conguring the OSU Service Provider ExtremeWireless V10.41.06 User Guide 387 Conguring WLAN Services 4 Congure the following parameters:

Server URI. The OSU server URI. Methods. OSU Method is the preferred list of encoding methods that the OSU server supports in order of priority. Select the connection method used by the provider. Icon. Click Congure to add or remove an icon associated with Online Signup. For more information, see Conguring an OSU Icon on page 388. Anonymous Name. Congure a name that anonymous users can use to access the network. Language. Congure the Language, Friendly Name, and Service Description for the Online Signup user interface. To add an icon:

5 Click OK to save the OSU SP conguration. Conguring an OSU Icon D This task outlines how to add, change, or remove icons to a list of icons that are associated with Online Signup. The icon list contains the metadata for the available icon les. The metadata denes the image size, language, type, and le name. The mobile device determines which icon in the list best ts the display and downloads the appropriate le. The list can be blank. The NAI realm is used in cases where the OSU ESS (OSEN) SSID is congured. This allows the device to authenticate to the OSU OSEN SSID for access to the OSU server. raft 1 From the OOSU SP Conguration dialog, click Congure. The IIcon Conguration dialog appears. 2 Click Browse to navigate to the icon le. Then, click Open and Upload. The icon le is added to the IIcon Conguration dialog. ExtremeWireless V10.41.06 User Guide 388 Conguring WLAN Services 3 Select the icon and click Save. To delete an icon:

1 Open the IIcon Conguration dialog. 2 Select the icon and click Delete. 3 Click Save. D raft ExtremeWireless V10.41.06 User Guide 389 8 Conguring a VNS CConguring a VNS VNS Global Settings Methods for Conguring a VNS Manually Creating a VNS Creating a VNS Using the Wizard Enabling and Disabling a VNS Renaming a VNS Deleting a VNS D Conguring a VNS Setting up a VNS denes a binding between a default role specied for wireless users and an associated WLAN (Wireless Local Area Network) Service set, as shown in Figure 127. There are conceptually hierarchical dependencies on the conguration elements of a VNS. However, the provisioning framework is exible enough that you may select an existing dependent element or create one on the y. Therefore, each element can be provisioned independently (WLAN services, Topologies, and Roles). For service activation, all the pieces will need to be in place, or dened during VNS conguration. raft Figure 127: VNS Conguration Flow You can use the VNS Creation Wizard to guide you through the necessary steps to create a virtual network service (and the necessary subcomponents during the process). The end result is a fully resolved set of elements and an active service. The recommended order of conguration events is:

1 Before you begin, draft out the type of services the system is expected to provide wireless services, encryption types, infrastructure mapping (VLAN (Virtual LAN)s), and connectivity points

(switch ports). Switch port VLAN conguration/trunks must match the controller's. 2 Set up basic controller services such as NTP, Routing, DNS, and RADIUS Servers, using one of the following methods:

ExtremeWireless V10.41.06 User Guide 390 Conguring a VNS Run the Basic Conguration Wizard, or Manually dene the necessary infrastructure components such as RADIUS Servers. RADIUS Servers are dened via the VNS > Global > Authentication. 3 Dene Topologies. Topologies represent the controllers points of network attachment. Therefore, VLANs and port assignments need to be coordinated with the corresponding switch ports. 4 Dene Roles. Roles are typically bound to Topologies. Role application assigns user traffic to the corresponding network point of attachment. Roles dene mobile user access rights by ltering. Polices reference the mobile user's traffic rate control proles. 5 Dene the WLAN Service. Dene SSID and privacy settings for the wireless link. Select the set of APs and radios on which the service is present. Congure the method of credential authentication for wireless users (None, Internal CP, External 6 Create a VNS that binds the WLAN Service to the Role that will be used for default assignment CP, Guest Portal, 802.1x[EAP]). D upon user network attachment. Create a new Topology. Create a new Class of Service. The VNS conguration page in turn allows for in-place creation of any dependencies it may require. For example:

Create a new WLAN Service. Create a new Role. raft The controller system ships with a Topology entity for an admin interface. Topology entities representing the controller physical interfaces must be set manually or using the basic installation wizard. The default shipping controller conguration does not include any pre-congured WLAN Services, VNSs, or Roles. The ExtremeWireless system does ship with Topology entities representing each of it's physical interfaces, plus an admin interface. There are, however, global default settings corresponding to:

A Default Topology named Bridged @ AP Untagged An Unlimited Rate Control Prole A Filter Denition of Deny all Controller Defaults These entities are simply placeholders for Role completion, in case roles are incompletely dened. For example, a Role may be dened as no-change for Topology assignment. ExtremeWireless V10.41.06 User Guide 391 Conguring a VNS If an incomplete Role is assigned as the default for a VNS / WLAN Service (wireless port), the incomplete Role needs to be fully qualied, at which point the missing values are picked from the Default Global Role denitions, and the resulting role is applied as default. NNote You can edit the attributes of the Default Global Role (under VNS > Global tab). For example, change the topology, apply more permissive lter sets, or use a more restrictive Rate Control prole). It is possible to dene a Default Global Role to refer to a specic Topology (for example, Topology_VLAN). Then congure every other Roles topology as No-change. This conguration denes Topology_VLAN as the default assignment. All user traffic, regardless of the role assignment

(applying different access rights, different rate controls) will be carried through the same VLAN. Table maps each VLAN ID to a Role ID. DAS (Dynamic Authorization Service) VNS Global Settings D Before dening a specic VNS, dene the global settings that apply to all VNS denitions. These global settings include:

Authentication available choices when you set up the authentication mechanism for each WLAN Service. Conguring RADIUS servers on the enterprise network. The dened servers are displayed as Conguring Dynamic Authorization Service (DAS) support. DAS helps secure your network by Conguring the MAC format. Conguring RFC 3580 (ACCESS -ACCEPT) RADIUS attributes for the selected server. A Role Map raft thresholds for VO (voice) and VI (video), and distinct thresholds for roaming and new streams.

(AP37xx Only) Flexible Client Access provides the ability to adjust media access fairness in ve levels between Packet Fairness and Airtime Fairness. The Bandwidth Control Proles you dene are displayed as available choices in the Rate Proles Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS Admission control thresholds protect admitted traffic against overloads, provide distinct Wireless QoS, comprising Admission Control Thresholds and Flexible Client Access Fairness Role. providing the ability to disconnect a mobile device from your network. congured with Reserved Airtime. Bandwidth Control menu when you set up CoS (Class of Service) role. Default Role The Global Default Policy species:

A topology to use when a VNS is created using a role that does not specify a topology A set of lters The controller ships from the factory with a default Global Default Policy that has the following settings:

ExtremeWireless V10.41.06 User Guide 392 Conguring a VNS Topology is set to an Bridged at AP untagged topology. This topology will itself be dened in controllers by default. Filters - A single Allow All lter. The Global Default Policy is user-congurable. Changes to the Global Default Policy immediately effect all shadow roles created from it, just as if the administrator had made a comparable change directly to the incomplete role. Egress Filtering Mode The global Egress Filtering Mode setting overrides the individual WLAN service Egress Filtering Mode setting. Sync Summary Client Auto Login The SSync Summary screen provides an overview of the synchronization status of paired controllers. The screen is divided into sections: Virtual Networks, WLAN services, Roles, and Topologies. Each section lists the name of the corresponding conguration object, its synchronization mode, and the status of last synchronization attempt. For more information, see Using the Sync Summary on page 414. D NAC Integration This features congures how auto login behavior is handled for users with devices that need to authenticate to a captive portal to gain network access. For more information, see Using Client Login on page 417. NAC Integration provides a list of NAC servers for use by the controller for passing DHCP (Dynamic Host Conguration Protocol) traffic. The NAC server can accept DHCP messages from the controllers DHCP server and use them to ngerprint devices. For more information, see Using NAC Integration on page 416. raft Use Netow to forward packet information. Integration with ExtremeAnalytics no longer requires Netow/MirrorN. See ExtremeAnalytics Support with Enhanced IPFIX Records on page 419 for more information. Topology Group Algorithms are used for selecting a member Topology from a Topology Group. The wireless controller will run one of the following algorithms: MAC based, Round Robin, Random Selected, and Lease used. For more information, see Using Topology Group Algorithm on page 418. Topology Group Algorithm Netow/MirrorN Redirection URL Congure a list of redirection URLs from the Redirection URL dialog. You can add and delete a URL. Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. Related Links Conguring Airtime Fairness: Reservation Mode on page 406 ExtremeWireless V10.41.06 User Guide 393 Conguring a VNS Dening RADIUS Servers and MAC Address Format The Authentication global settings include conguring RADIUS servers, the MAC format to be used, the SERVICE-TYPE attribute in the client ACCESS-REQUEST messages, and how long a notice web page displays if a topology change occurs during authentication. The notice Web page indicates that authentication was successful and that the user must restart the browser to gain access to the network. Dening RADIUS Servers for VNS Global Settings To dene RADIUS servers for VNS global settings:

From the top menu, click VNS. 1 2 In the left pane, click Global > Authentication. 3 Select Strict Mode to force the top three Radius servers in priority order for each WLAN where applicable. Clearing this check box, allows individual Radius change per WLAN. D Figure 128: Global Authentication Settings ExtremeWireless V10.41.06 User Guide 394 Conguring a VNS 4 To dene a new RADIUS server available on the network, click New. The RRADIUS Settings dialog displays. Figure 129: RADIUS Server Settings ExtremeWireless V10.41.06 User Guide 395 Conguring a VNS 5 In the Server Alias eld, type a name that you want to assign to the RADIUS server. NNote You can also type the RADIUS servers IP address in the Server Alias box in place of a nickname. The RADIUS server will identify itself by the value typed in the Server Alias box in the RADIUS Servers drop down list on the RRADIUS Authentication tab of the LLogin Management screen (top menu > Wireless Controller > Login Management). For more information, see Conguring the Login Authentication Mode on page 75. 6 In the Hostname/IP eld, type either the RADIUS servers FQDN (fully qualied domain name) or IP address. 7 In the Shared Secret eld, type the password that will be used to validate the connection between Note If you type the host name in the Hostname/IP address box, the controller will send a host name query to the DNS server for host name resolution. The DNS servers must be appropriately congured for resolving the RADIUS servers host names. For more information, see Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 94. D the controller and the RADIUS server. To proofread your shared secret key, click Unmask. The password is displayed. Note You should always proofread your Shared Secret key to avoid any problems later when the controller attempts to communicate with the RADIUS server. raft a Priority default is 4. b Total number of tries default is 3. c RADIUS Request timeout default is 5 seconds. d For Accounting operations, the Interim Accounting Interval default is 30 minutes. Setting the e Port default Authentication port is 1812. Default Accounting port is 1813. Interim Accounting Interval value to 0 results in no interims being sent. and enter a Test Request Timeout (shown in seconds). 8 If desired, change the Default Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, 10 If desired, setup Health Monitoring by selecting a Polling Mechanism from the drop-down menu, 9 If desired, change the pre-dened default values for Authentication and Accounting operations:

or MS-CHAP2. 11 To save your changes, click Save. The new server is displayed in the RADIUS Servers list. Note The RADIUS server is identied by its Server Alias. 12 To edit an existing server, click the row containing the server. The RRADIUS Settings window displays, containing the servers conguration values. 13 To remove a server from the list, select the check box next to the server, and then click Delete Selected. You cannot remove a server that is used by any VNS. ExtremeWireless V10.41.06 User Guide 396 Conguring a VNS Conguring the Global MAC Address Format for Use with the RADIUS Servers To congure the Global MAC Address Format for use with the RADIUS servers:

From the top menu, click VNS. 1 2 In the left pane, click Global, then Authentication. 3 In the MAC Address area, select the MAC Address Format from the drop down list. 4 Click Save to save your changes. Conguring Advanced RADIUS Servers Settings From the top menu, click VNS. 1 2 In the left pane, click Global > Authentication. 3 In the MAC Address area, click Advanced. D raft Figure 130: Advanced RADIUS Server Settings ExtremeWireless V10.41.06 User Guide 3397 Conguring a VNS 4 Congure the following parameters:

Table 73: Advanced Radius Settings FField Description Include Service-Type attribute in Client Access Request messages Set Service Type to Login Select if the client RADIUS Access Request message includes the

"Service-Type" attribute. If included, the attribute is set to "Framed"

by default. If selected, the RADIUS "Service-Type" attribute of the client Access Request is set to "Login" (instead of "Framed"). Note: RADIUS-based controller administrative access also sets the Service-Type attribute to "Login". Therefore, if you enable Service Type Login here, RADIUS-based administrative access is not allowed

(and vice versa). Delay for Client Message for Topology Change D How should multiple RADIUS servers be used?

Denes a delay during client authentication when switching from one topology to another. This is relevant for Captive Portal authentication. The delay gives time for the client to be assigned an IP address for the new topology before browser redirection. Set the delay in seconds. Primary-Backup. Select a primary failover server to have control starting at the top of the list of approved servers. The rst server is used until it fails, and that pattern continues down the list. When the last server fails, then the rst server is used again. Select an authentication or accounting option. The selection applies to all WLAN Services and to all sites on the EWC. Round-Robin. The server is selected on a round-robin basis raft over which server provides redundancy. When you select Primary-Backup, the RADIUS server assigned to the site or WLAN Service is the primary for the WLAN Service. All other RADIUS servers assigned to WLAN Service are backups for the primary and continue to be selected in a round-robin approach. For controllers in an availability pair, the Primary and Backup servers must be synchronized (enable "Synchronize System Conguration" in Availability setup) if the WLAN Services are synchronized. If the primary server has failed resulting in a backup server being used for authentication, the controller will periodically send a "Health Check" to the primary server to see if it has recovered. If the primary server has recovered, the controller starts using the primary server for all new authentications. All authentications in progress continue to use the backup server. Use MAC-Based Authentication MAC address format for user authentication and accounting via RADIUS Allows the administrator to override the default MAC address colon-

separated format (for example 00:11:22:33:44:55) with the Global Authentication MAC Address format for the following attributes:

Calling-Station-Id attribute of the RADIUS packet Called-Station-Id attribute (if Called-Station-Id is not overridden by Zone name) AP BSSID Mac in one of the vendor attributes User-Name attribute. Note: This setting is enabled for new deployments. You must manually enable this setting for upgraded deployments. ExtremeWireless V10.41.06 User Guide 398 Conguring a VNS Table 73: Advanced Radius Settings (continued) FField Description Override 802.1x Authentication Call-

Station-Id format with XX-XX-XX-XX-

XX-XX:SSID Allows the administrator to override the Called-Station-Id attribute format for 802.1x authentication with the format XX-XX-XX-XX-XX-

XX:SSID. This setting is disabled by default. When you select this option, the Called-Station-Id conforms to the format specied in RFC 3580 (IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines). If the RADIUS server is processing this attribute, the RADIUS server has to support this format. Note: This setting overrides the setting Use MAC-Based Authentication MAC address format for user authentication and accounting via RADIUS. Enabling RADIUS accounting activates RADIUS accounting only in WLAN Services specically congured to perform it. Disabling RADIUS accounting overrides the RADIUS accounting settings of individual WLAN Services. Radius Accounting D Defer sending the accounting start request until the client's IP address is known 5 Click Close to close the AAdvanced Settings dialog. 6 Click Save to save your changes. Specify Authentication Behavior of RADIUS servers on Server Failure. If selected, the client RADIUS Accounting Request "start"

command is not sent to the RADIUS server until the client IP address is known. By default, this option is not selected and the

"start" command is sent once the client is authenticated. raft 1 2 In the left pane, click Global, then Authentication. 3 In the MAC Address area, click Advanced. 4 In the Delay for Client Message for Topology Change eld, specify the number of seconds the web page is displayed to the client when the topology changes as a result of a role change. The Web page indicates that authentication was successful and that the user must close all browser windows and then restart the browser for access to the network. You can modify the amount of time that the NNotice web page displays if a topology change occurs during authentication. Take the following steps:

From the top menu, click VNS. Changing the Display Time of the Notice Web Page Currently this is supported for Internal Captive Portal, Guest Portal, and Guest Splash. 5 Click Close. 6 Click Save to save your changes. Conguring RADIUS Attribute for Hybrid Role Mode Hybrid Role mode (RFC 3580 Mapping mode) enables the wireless controller to separately assign different roles or topologies depending on a mobile station location. The following are available modes of operation:

ExtremeWireless V10.41.06 User Guide 399 Conguring a VNS RADIUS Filter-ID attribute Controller uses the topology assigned by the role and ignores the VLAN tunnel ID. RADIUS Tunnel-Private-Group-ID attribute Controller selects a role for the station based on the VLAN tunnel ID and ignores the lter ID. When selected, a mapping table maps each VLAN ID to a role. Both RADIUS Filter-ID and Tunnel-Private-Group-ID attribute Controller uses both the role identied in the lter ID and the topology associated with the VLAN tunnel ID. Note The selected mode of operation applies to all WLAN Services on the controller. Dening RFC 3580 Mapping Mode for VNS Global Settings From the top menu, click VNS. The VVirtual Network Conguration screen displays. To dene RFC 3580 for VNS global settings:

D 1 2 In the left pane, click Global > Authentication. 3 Click the RRFC 3580 (ACCESS-ACCEPT) Options tab. raft Figure 131: Authentication Settings 4 Select RADIUS Filter - ID attribute to assign both role and topology when the controller receives a RADIUS ACCESS-ACCEPT message. To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 400 Conguring a VNS 5 Select RADIUS Tunnel-Private-Group-ID attribute to assign both role and topology (based on the VLAN ID to Role Mapping table selection) when the controller receives a RADIUS ACCESS-ACCEPT message. In the VLAN ID Role Mapping table, select an existing VLAN ID and Role. Click New to create a new mapping entry. In the AAdd VLAN Role dialog, enter a VLAN ID, and select a Role from the drop-down list. D Click Add. To save your changes, click Save. select a Role from the drop-down list. Click Add. To save your changes, click Save. 6 Select Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes to identify the role to assign to the station and the topology to assign to the station (based on the VLAN ID to Role Mapping table selection), when the controller receives a RADIUS ACCESS-ACCEPT message. In the VLAN ID Role Mapping table, select an existing VLAN ID and Role. Click New to create a new mapping entry. In the AAdd VLAN Role dialog, enter a VLAN ID, and raft DAS helps secure your network by forcing the disconnection of any mobile device from your network. Typically, you would want to disconnect any unwelcome or unauthorized mobile device from your network. The disconnect message that is dened in RFC 3576 is enforced by the DAS support. If an unauthorized mobile device is detected on the network, the DAS client sends a disconnect packet, forcing the mobile device off the network. Your DAS client can be an integration with ExtremeControl or another third-party application, including RADIUS applications. For more information, see NAC Integration with the Wireless WLAN on page 24. DAS support is available to all physical interfaces of the controller, and by default DAS listens to the standard-specied UDP port 3799. Conguring Dynamic Authorization Server Support To Congure Dynamic Authorization Server Support:

1 From the top menu, click VNS. ExtremeWireless V10.41.06 User Guide 401 2 In the left pane, click Global > DAS. Conguring a VNS aft Figure 132: Global DAS Settings 3 In the Port box, type the UDP port you want DAS to monitor. By default, DAS is congured for the standard-specied UDP port 3799. It is unlikely this port value needs to be revised. 4 In the Replay Interval box, type how long you want DAS to ignore repeated identical messages. By default, DAS is congured for 300 seconds. This time buffer helps defend against replay network attacks. 5 To save your changes, click Save. Dening Wireless QoS Global Settings Dening the wireless QoS global settings include the following:

Conguring QoS Admission Control Thresholds on page 403 Conguring QoS Flexible Client Access on page 404 ExtremeWireless V10.41.06 User Guide 4402 Conguring a VNS Conguring QoS Admission Control Thresholds To dene Admission Control Thresholds for VNS Global Settings:

From the top menu, click VNS. 1 2 In the left pane, click Global > Wireless QoS. aft Figure 133: Wireless QoS Settings ExtremeWireless V10.41.06 User Guide 4403 Conguring a VNS 3 In the Admission Control Thresholds area, dene the thresholds for the following:

Max Voice (VO) BW for roaming streams The maximum allowed overall bandwidth on the new AP when a client with an active voice stream roams to a new AP and requests admission for the voice stream. Max Voice (VO) BW for new streams The maximum allowed overall bandwidth on an AP when an already associated client requests admission for a new voice stream. Max Video (VI) BW for roaming streams The maximum allowed overall bandwidth on the new AP when a client with an active video stream roams to a new AP and requests admission for the video stream. Max Video (VI) BW for new streams The maximum allowed overall bandwidth on an AP when an already associated client requests admission for a new video stream. Max Best Effort (BE) BW for roaming streams Max Best Effort (BE) BW for new streams Max Background (BK) BW for roaming streams The maximum allowed background bandwidth on an AP for roaming streams. D an AP for new streams. Max Background (BK) BW for new streams The maximum allowed background bandwidth on These global QoS settings apply to all APs that serve QoS enabled VNSs with admission control. raft Conguring QoS Flexible Client Access This feature allows you to adjust client access role in multiple steps between packet fairness and airtime fairness. 4 To save your changes, click Save. RRelated Links Conguring Airtime Fairness: Reservation Mode on page 406 Legacy Airtime Fairness: AP37xx on page 407 To dene exible client access for VNS global settings:

1 Go to VNS. ExtremeWireless V10.41.06 User Guide 404 2 In the left pane, click Global > Wireless QoS. Conguring a VNS raft Figure 134: Wireless QoS Settings 3 Depending on your AP model, do one of the following:

If conguring an AP37xx, select a role from the Fairness Policy drop-down list. NNote TSPEC must be disabled when using Flexible Client Access. If conguring an AP38xx or AP39xx using Reservation Mode, click Congure. The AAirtime Reservation Conguration dialog displays. Related Links Conguring Airtime Fairness: Reservation Mode on page 406 Legacy Airtime Fairness: AP37xx on page 407 ExtremeWireless V10.41.06 User Guide 405 Conguring a VNS CConguring Airtime Fairness: Reservation Mode With Airtime Reservation, reserve a percentage of air time for clients associated to a WLAN. The Airtime Reservation algorithm monitors the down link traffic from all clients. When congestion starts, the reservation algorithm guarantees that these clients have access to the air for the congured amount of time. If clients do not request to transmit, the reserved airtime is consumed by other clients. Note Airtime Reservation Mode is supported by AP38xx and AP39xx models. The legacy Flexible Client Access feature continues to support AP37xx models. Conguring Airtime Reservation Mode may cause the AP to reboot. 1 Go to VNS > Global > Wireless QoS. 2 Click Congure The AAirtime Reservation Conguration dialog displays. D raft Figure 135: Airtime Reservation Conguration Dialog ExtremeWireless V10.41.06 User Guide 406 Conguring a VNS 3 Select the percentage of airtime for each WLAN. Airtime Reservation conguration rules:

Four WLAN services associated with a controller can be congured with Airtime Reservation. The total Airtime Reservation of four WLAN services is limited to 80 percent of the total. The remaining 20 percent of the total time is reserved for the other WLAN services. If a WLAN service with Airtime Reservation is associated to a radio, the QCA ATF module is turned on, and the AP will restart in order to load the ATF module. The number of clients supported by QCA ATF is 50. If the radio does not have a WLAN service with Airtime Reservation associated, the QCA ATF module is turned off. When congured, Airtime Fairness percentage displays on the WWLAN Assignment page for the AP. When Mesh and WDS is congured, the rst WLAN gets 20 percent of the available channel airtime. The other clients on the radio channel get the remaining airtime. This takes co-channel interference into account. If there is 50 percent interference, WLAN1 gets 20 percent of the available 50 percent. D Conguring QoS Flexible Client Access on page 404 Legacy Airtime Fairness: AP37xx on page 407 This topic outlines the legacy Airtime Fairness behaviour that is supported by AP37xx. Airtime Fairness Reservation Mode, is supported by AP38xx and AP39xx models. Legacy Airtime Fairness is described as:

Packet fairness is the default 802.11 access role. Each WLAN participant gets the same (equal) opportunity to send packets. All WLAN clients will show the same throughput, regardless of their PHY rate. raft Note Flexible Client Access may not work if Global Admission Controls for Voice and Video

(Advanced QoS settings) are enabled. Airtime fairness gives each WLAN participant the same (equal) time access. WLAN clients throughput will be proportional to their PHY rate. Related Links Legacy Airtime Fairness: AP37xx Related Links Conguring Airtime Fairness: Reservation Mode on page 406 Conguring QoS Flexible Client Access on page 404 Working with Bandwidth Control Proles Bandwidth control limits the amount of bidirectional traffic from a mobile device. A bandwidth control prole provides a generic denition for the limit applied to certain wireless clients' traffic. A bandwidth control prole is assigned on a per role basis. A bandwidth control prole is not applied to multicast traffic. ExtremeWireless V10.41.06 User Guide 407 Conguring a VNS A bandwidth control prole consists of the following parameters:

Prole Name Name assigned to a prole Committed Information Rate (CIR) Rate at which the network supports data transfer under normal operations. It is measured in kilo bits per second (Kbps). The bandwidth control proles you dene on the Global Settings screen are displayed as available choices in the Bandwidth Control Proles list on the Classes of Service screen. To create a bandwidth control prole:

From the top menu, click VNS. 1 2 In the left pane, click Global > Bandwidth Control. D raft Figure 136: Global Bandwidth Control Proles 3 Provide a Prole Name for the bandwidth control prole. 4 Provide the Average Rate (CIR) value for the bandwidth control prole. 5 Click Add Prole. The prole is created and displayed in the Bandwidth Control Proles list. 6 Create additional bandwidth control proles, if applicable. 7 Click Save. Conguring the Global Default Policy The controller ships with a Global Default Policy that can be congured. The Global Default Policy species:

A topology to use when a VNS is created using a role that does not specify a topology. The default assigned topology is named Bridged at AP untagged. ExtremeWireless V10.41.06 User Guide 4408 Conguring a VNS A set of lters. Conguring the Topology and Rate Proles To congure the topology and rate proles:

From the top menu, click VNS. The Virtual Network Conguration screen displays. 1 2 In the left pane, click Global > Default Role. 3 Select the VLAN & Class of Service tab. aft 4 In the Default Action area, select a VLAN using one of the following methods:

Select an existing VLAN from the drop-down list. Select an existing VLAN from the drop-down list, then click Edit. The EEdit Topology window displays, showing the current values for the selected topology. Click New. The NNew Topology window displays. Figure 137: Default Role Settings Edit or create the selected topology as described in Conguring a Basic Data Port Topology on page 266. 5 Select an Invalid Role Action from the one of the following:

Select Apply VNS Default Role. Select Allow All traffic. Select Deny All traffic. 6 Click Save. ExtremeWireless V10.41.06 User Guide 409 Conguring a VNS Conguring the Filters To congure the lters:

1 Click the PPolicy Rules tab. The RRules tab displays, allowing you to create policy rules that will be applied by the controller when default non-authentication role does not specify lters. aft Figure 138: Default Role Settings 2 To add a rule, click Add. For more information, see Policy Rules on page 288. 3 To congure custom AP lters, select AP Filtering and Custom AP Rules then click the Custom AP rules tab. For more information, see Dening Policy Rules for Wireless APs on page 298. Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 Conguring Egress Filtering Mode The controller can be congured to support Policy Managers Egress Role mode. Egress Role refers to taking the ingress lters assigned to a port, exchanging the source and destination addresses with each other in each role rule and applying the result to the traffic egressing the port. ExtremeWireless V10.41.06 User Guide 410 Conguring a VNS The ExtremeWireless solution applies egress ltering mode to WLAN services. When egress ltering is enabled, any role that is applied to a station on the WLAN service will have its outbound lters replaced with rules in which the source and destination addresses of the inbound lters are swapped. The same role can be assigned to stations on WLAN services that have egress ltering mode enabled and on WLAN services that have it disabled. For stations that are on WLAN services with egress ltering mode enabled, the roles outbound lters will be replaced by ones derived from the inbound policy rules. For stations that are on WLAN services with egress ltering disabled, the outbound lters of the role will be applied as dened. In other words the same role can be applied in two different ways at the same time, based on the egress lter mode settings of the WLAN services it is used with. The global Egress Filtering Mode setting overrides the individual WLAN service Egress Filtering Mode setting. By default, the global setting is set to Use WLAN. In this mode, egress ltering can be enabled for some WLAN services and not others. Set the Egress Filtering Mode setting from the Advanced conguration dialog of each WLAN service. D RRule-Based Redirection Rule-based redirection requires explicit enablement. For new installations, Rule-based Redirection is enabled by default. For upgrades from releases prior to v10.11, ExtremeWireless preserves the previous captive portal redirection method of triggering redirect off denied HTTP/HTTPS for non-

authenticaticated roles. For more information, see Rule-Based Redirection on page 289. Changing the global setting does not alter each individual WLAN egress ltering mode setting, although the global setting can override the individual setting. Changing the global setting does not alter the outbound policy rules of each role. Each roles policy rules are stored on the controller as they were entered. Changing the global egress ltering mode ag does, however, affect how a roles rules are interpreted when they are applied. raft Note The option to disable Rule-based Redirection is available for backward capability only. ExtremeWireless V10.41.06 User Guide 411 Conguring a VNS D Figure 139: Enabling Rule-based Redirection RRelated Links Conguring the In/Out Rules for WLAN Services Settings on page 412 Rule-Based Redirection on page 289 Conguring the In/Out Rules for WLAN Services Settings To congure the Egress Filtering Mode:

1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. raft ExtremeWireless V10.41.06 User Guide 412 Conguring a VNS 2 In the left pane, click Global > Filtering Mode. The Egress Filtering Mode Conguration screen displays. D 3 Select an egress ltering mode:

Figure 140: Egress Filtering Mode outbound lters on egress traffic exactly as they are dened in the role. All WLAN Services enforce explicitly dened Out rules All WLAN services enforce All WLAN Services apply In policy rules to Out direction traffic All WLAN services enforce that outbound policy rules that are explicitly dened in the role are overridden by a set of rules created by copying each inbound role rule and swapping the source and destination address roles in the rule. raft Note The Use WLAN Service setting is recommended. If you are using Policy Manager, congure each WLAN Services Egress ltering option directly from Policy Manager. Enabling Egress Filtering on a WLAN Service port in Policy Manager is equivalent to setting Apply In rules to Out direction traffic in the WWLAN Services Advanced dialog. Use WLAN Service setting Each roles rules are interpreted in accordance with the Egress Filtering Mode setting of each WLAN Service on which the role is applied. In this mode, it is possible that a roles rules can be interpreted in two different ways at the same time, if it is used simultaneously on a WLAN service that has Enforce explicitly dened Out rules enabled and on a WLAN service that has Apply In rules to Out direction traffic at the same time. ExtremeWireless V10.41.06 User Guide 413 Conguring a VNS 4 Select Rule-based Redirection to enable redirection based on congured policy rules after a packet is denied. For more information, see Rule-Based Redirection on page 289. Upgrade considerations for default Rule-based Redirection setting:

This setting is enabled for the following installation scenarios:

For new installations of ExtremeWireless v10.11 or later When upgrading from ExtremeWireless v10.11 or later For factory resets of ExtremeWireless v10.11 or later When upgrading from a previous version of ExtremeWireless, this check box is cleared, and Rule-

based Redirection is disabled. RRelated Links Conguring Egress Filtering Mode on page 410 Rule-Based Redirection on page 289 Managing Redirection URLs on page 421 D Using the Sync Summary The SSync Summary screen provides an overview of the synchronization status of paired controllers. raft ExtremeWireless V10.41.06 User Guide 414 Conguring a VNS aftThe screen is divided into ve sections: Virtual Networks, WLAN services, Roles, Classes of Service, and If Synchronization of an object is not enabled, then there is a button in the Status eld which says Synchronize Now, which performs a single synchronization of the object, pushing the object from local controller to the peer. Topologies. Each section lists the name of the corresponding conguration object, its synchronization mode, and the status of last synchronization attempt. If Synchronization of an object is enabled, then the Status eld can have the following values:

Synchronized Not Synchronized Failed Conict (with a button called Resolve) The Synchronize System Conguration check box acts as a global synchronization ag. When it's disabled, synchronization is not performed in the background. When it is enabled, only the objects that have Sync enabled are synchronized. ExtremeWireless V10.41.06 User Guide 415 Conguring a VNS An object may have a synchronization state of Conict if it was updated on both controllers in the availability pair while the availability link was down. In such a case, the Resolve button lets you choose which version of the object should be taken, local or remote. Please note that controllers don't compare the actual conguration when they declare a conict only the fact that the object was updated on both controllers in the availability pair triggers the Conict state. Using NAC Integration NAC Integration provides the ability to forward DHCP traffic from a controller to a congured NAC server. When a controller is congured to be a topologys DHCP server, or a relay for a topology, and this feature is enabled, traffic is forwarded to the NAC server. The NAC Integration Options screen provides a list of NAC servers that will accept DHCP messages from the controller. A maximum of three address can be entered and only one address can be entered for each NAC Server. To stop DHCP forwarding, all congured NAC servers need to be deleted from the list. The screen lists the NAC Server, NAC Name and IP Address. The screen provides the ability to add a new server or delete an existing entry. D raft Figure 141: NAC Integration Settings Adding a New NAC Server Destination From the top menu, click VNS. 1 2 In the left pane, click Global > NAC Integration. ExtremeWireless V10.41.06 User Guide 416 Conguring a VNS 3 Click New. The NNAC DHCP Receiver Address dialog appears. Using Client Login 4 For Nac Server Name, enter a name for the NAC Server. This is an optional step, but it helps to identify a specic server. D 5 For Address for DHCP Traffic, enter the IPv4 address for DHCP Traffic. 6 Click OK. This autologin behavior is incompatible with deployments that need to direct all wireless users to a specic web page after the login completes. Using the Client Autologin feature provides conguration options to control autologin behavior. When a client uses a device that provides autologin capabilities, an attempt is made to detect whether the device needs to authenticate to a captive portal to gain network access via the controller. If the device determines that captive portal authentication is required, a login dialog is displayed. After logging in, access is granted and the browser window closes. raft Figure 142: Global Client Autologin ExtremeWireless V10.41.06 User Guide 417 Conguring a VNS Selecting a Client Autologin Option From the top menu, click VNS. 1 2 In the left pane, click Global > Client Autologin. The CClient Autologin Handling screen displays. 3 Select from one of the following options:

When Autologin is set to Hide the captive portal from Autologin detector, the server is spoofed and creates the impression that there is no captive portal. This is the default option. When Autologin is set to Redirect detection messages to the Captive Portal, the client detects the captive portal and prompts the user to login. When Autologin is set to Drop detection messages, the controller ignores the connection request and drops the client. 4 Click Save to save the desired option. D Using Topology Group Algorithm Tunneled station traffic is forwarded from the AP to the controller as if the groups were plain topologies. The controller provides minimum support to use only tunneled topology groups (B@AC, routed). The controller will run the Topology Group Algorithm and will not forward the mapping table to the AP. Go to VNS > Global > Topology Group Algorithm. raft Figure 143: Topology Group Algorithm The following algorithms are available for selecting a member topology from a Topology Group:

MAC-Based: This algorithm always assigns a client to the same topology within the topology group. Round Robin: The list is considered ordered; start at the top of the list. The next assignment is the next topology on the list; wrap around at the bottom. Random Selected: Random number selected from a uniform distribution mod the number of topologies in the topology group. Least Used: Assign a topology in the topology group with the least number of stations assigned to it at the moment of assignment. ExtremeWireless V10.41.06 User Guide 418 Conguring a VNS Using Netow/MirrorN Use Netow to forward packet information. Integration with ExtremeAnalytics no longer requires Netow/MirrorN. See ExtremeAnalytics Support with Enhanced IPFIX Records on page 419 for more information. D Figure 144: Netow/MirrorN The following conguration items are supported:

Netow Export-Destination IP Address: Congure the ExtremeAnalytics engine IP to receive Netow records. Netow Export Interval: Congure the Netow sending interval for same ow. The default value is 60. It will support from 30 to 360 seconds. Mirror rst N: Congure the MirrorN rst N packets. It is a global setting per controller and all raft Congure the mirror port on the controller. The default value is None. The other l2 ports can only be selected when it is not referred elsewhere (lag, topologies). APs (per link). Default setting is 15. Traffic Mirror L2 Port:

ExtremeAnalytics Support with Enhanced IPFIX Records ExtremeWireless leverages and integrates with ExtremeAnalytics for decoding, detection, collection of Metadata, and scrutinization of Layer 7 data. The solution functions by rst enabling WLAN Services on the wireless controller to forward packets to the ExtremeAnalytics engine. This feature requires ExtremeAnalytics 7.0.8 or later. Depending on your topology, the controller and the AP can inspect the ow, generate the application ID and round trip time (RTT), and format the IPFIX record. With B@AP, the AP sends the IPFIX record to the controller via a WASSP tunnel and then the controller exports the record to ExtremeAnalytics. With B@AC, the controller exports the IPFIX record to ExtremeAnalytics directly. ExtremeWireless V10.41.06 User Guide 419 Conguring a VNS The IPFIX packets provide all the standard information found in a Netow v9 packet with enhanced IPFIX parameters. The standard packet includes source and destination IP addresses, ports, protocol, and packet counter information. The enhanced IPFIX records include the application group ID, display ID, the DNS and TCP round trip times (RTT), and ow metadata (which is part of the URL to help classify the ow). The enhanced IPFIX records that the controller sends, releases the dedicated MirrorN port and reduces ExtremeAnalytics CPU resources previously used to identify the application. IPFIX record templates are supported for IPv4 and IPv6. Upgrades retain NETFLOW conguration, delivering enhanced records. Netow with IPFIX reporting is disabled by default. Live Signature Update ExtremeWireless supports Live Signature Update to synchronize standard application signatures with ExtremeAnalytics. Through the use of Live Signature Update, the ExtremeWireless controller and its connected APs receive standard signature updates and custom signatures from ExtremeAnalytics. D ExtremeAnalytics users download the updated signature list to ExtremeWireless through the CLI. Once downloaded, the signatures are available for conguration in role lters using L7 Application Rules, and the new signatures are automatically propagated to all attached APs. Both standard and custom signatures are updated. When conguring applications from ExtremeAnalytics, you can dene a custom application and custom group. When conguring applications from ExtremeWireless, you can dene a custom application specifying a pre-congured ExtremeAnalytics group. The following is the maximum number of custom signatures that can be supported simultaneously:

ExtremeAnalytics 512 signatures ExtremeWireless 64 signatures raft During a conguration import, if ExtremeWireless encounters a lter with a group or application name that is not recognized, ExtremeWireless converts the group to the predened Unknown Apps group and the application name to Undened. A log le is generated to alert the administrator. The original group and application name are lost. A new signature set is applied to the group and the application is re-

dened. The latest downloaded signature les are saved in permanent storage on both the controller and the AP and will remain intact after software upgrades and system restarts. CLI Command: copy signature (<server> <user> <dir> <file> [ftp

<ftp_password> | scp <scp password>]) | show For more information about the ExtremeWireless CLI, see the CLI Guide. NNote Live Signature Update is supported when using the following software and AP models:

ExtremeWireless v10.41 on-premise with the following AP models: AP3805, AP3825, and AP39xx models. This feature does not support APs connected to ExtremeCloud. ExtremeAnalytics v8.1 or later. It can be ported to v8.0.x branch earlier) with ExtremeAnalytics and the appropriate licenses. ExtremeWireless V10.41.06 User Guide 420 Conguring a VNS RRelated Links Deleted Signature Support on page 421 L7 Conguration on page 307 Including Custom Apps on page 313 Conguring Policy Rules on page 298 Allowing for Restricted Sets of Applications and Resources on page 311 Deleted Signature Support Deleted signature support If a signature that is used in an L7 Application Rule is deleted by Live Signature Update, ExtremeWireless does not delete the lter, but displays the ID of the application and the group instead of the text names, see Figure 145. The display of the ID number indicates that the signature has been deleted. You can delete the lter rule or recongure the rule with a different signature. Application lters that employ deleted signatures will not match any network traffic and the lter is treated as NULL. D If the deleted signature is included again through a signature update, the ExtremeWireless user interface automatically replaces the ID numbers with text names. raft Figure 145: L7 Application Filter Rule with Deleted Signature Related Links Live Signature Update on page 420 Managing Redirection URLs Congure a list of redirection URLs from the Redirection URL dialog. You can add and delete a URL. Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. For more information, see Conguring the In/Out Rules for WLAN Services Settings on page 412. The URL list can contain up to 255 proper URLs, consisting of Fully-Qualied Domain Name (FQDN) addresses and IPV4 addresses. Duplicate entries are not permitted, and you must ensure that network traffic is accessible to the required IP addresses. The name of the WLAN Service that these entries are created for is displayed on the user interface and on the command line interface. SNMP also displays the URLs when queried through the Policy Prole MIB. ExtremeWireless V10.41.06 User Guide 421 Conguring a VNS External Captive Portal URLs are not required, but when they exist, they are automatically added to the list. NNote You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . For URL specications, see Adding a Redirection URL on page 422. Related Links Conguring the In/Out Rules for WLAN Services Settings on page 412 Adding a Redirection URL on page 422 Deleting a Redirection URL on page 423 Adding a Redirection URL D 1 2 Enter the URL for redirection. The RRedirection URL dialog displays. Beside the Redirection URL eld, click New. There are two ways to add a redirection URL:

Adding from the RRedirection URL list, go to VNS > Global > Redirection URL and click Add. Adding from the VVLAN & Class of Service tab, go to VNS > Roles > VLAN & Class of Service. Redirection destinations have the following specications:

Only one redirection destination per role. The redirection destination is congurable and is comprised of one of the following items:

raft Session identier or token for the station of the redirected traffic Address & port of the controller that is performing the redirection Destination URL of the redirection. The default redirection destination is 'Own WLAN'. administrator species. Using the controller interface, you can augment the Get query with the following parameters:

Note The default Redirection destination is 'Own WLAN'. The IP address and port of the destination server. In this case, the redirection is driven by the A complete URL. In this case, the redirection is driven by the HTTP Get query that the HTTP Get query from the redirected request. Related Links Managing Redirection URLs on page 421 Modifying a Redirection URL To modify a redirection URL:

ExtremeWireless V10.41.06 User Guide 422 Conguring a VNS Navigate to VNS > Global > Redirection URL, and click Edit. NNote Changes made to an existing redirection URL affect all roles using that redirection URL. Deleting a Redirection URL To delete a redirection URL:

1 Navigate to VNS > Global > Redirection URL. Methods for Conguring a VNS Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. For more information, see Conguring the In/Out Rules for WLAN Services Settings on page 412. D 2 Select the URL in the list to delete, and click Delete Selected.DDDNote URLs that are in use, cannot be deleted from the list. To congure a VNS, you can use one of the following methods:

Manual conguration Allows you to create a new VNS by rst conguring the topology, role, and WLAN services and then conguring any remaining individual VNS tabs that are necessary to complete the process. raft Note If you navigate away from the VNS conguration tabs without saving your VNS changes, your VNS conguration changes will be lost. When conguring a VNS, you can navigate between the various VNS tabs and dene your conguration without having to save your changes on each individual tab. After your VNS conguration is complete, click Save on any VNS tab to save your completed VNS conguration. for a minimum amount of conguration information. The VNS is created using minimum parameters. The remaining parameters are automatically assigned in accordance with best practice standards. Wizard conguration The VNS wizard helps create and congure a new VNS by prompting you After the VNS wizard completes the VNS creation process, you can then edit or revise any of the VNS conguration to suit your network needs. Manually Creating a VNS Advanced conguration allows administrators to create a new VNS once the topology, role, and WLAN services required by the VNS parameters are available. The topology, role and WLAN services could be created in advance or could be created at the time of VNS conguration. ExtremeWireless V10.41.06 User Guide 423 Conguring a VNS When you create a new VNS, additional tabs are displayed depending on the selections made in the Core box of the main VNS conguration tab. When conguring a VNS, you can navigate between the various VNS tabs and dene your conguration without having to save your changes on each individual tab. After your VNS conguration is complete, click Save on any VNS tab to save your complete VNS conguration. NNote If you navigate away from the VNS Conguration tabs without saving your VNS changes, your VNS conguration changes will be lost. The following procedure lists the steps necessary to create a VNS in advanced mode. Each step references a section in this document that describes the full details. Follow the links provided to go directly to the appropriate sections. Creating a VNS Manually D To create a VNS manually:

1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. raft ExtremeWireless V10.41.06 User Guide 424 2 In the left pane, expand the Virtual Networks pane and select an existing VNS to edit, or click New. Conguring a VNS aft 3 Enter a name for the VNS. 4 Select an existing WLAN Service for the VNS, or create a new WLAN Service, or edit an existing one. For more information, see Conguring a Basic WLAN Service on page 319. 5 Congure the Default Roles for the VNS. Select existing roles, or create new roles, or edit existing ones. For more information, see Conguring a VNS on page 390. Figure 146: VNS Settings 6 Congure the Status parameters for the VNS:

Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. Enabled Check to enable the VNS. 7 Click Save to save your changes. Also, as with creating a new VNS, you can:

ExtremeWireless V10.41.06 User Guide 425 Conguring a VNS Congure a topology for the VNS Congure a role for the VNS Congure WLAN services for the VNS Congure additional roles for the VNS Creating a VNS Using the Wizard The VNS wizard helps create and congure a new VNS by prompting you for a minimum amount of conguration information during the sequential conguration process. After the VNS wizard completes the VNS creation process, you can then continue to congure or revise any of the VNS conguration to suit your network needs. more information, see Creating a Data VNS Using the VNS Wizard on page 436. When using the VNS wizard to create a new VNS, you can create the following types of VNSs:

NAC SSID-based VNS NAC gateway-compatible VNS. The controller integrates with an Extreme Networks NAC Controller to provide authentication, assessment, remediation and access control for mobile users. For more information, see Creating a NAC VNS Using the VNS Wizard on page 426. D Spectralink, Vocera, and Mobile Connect - Nokia. For more information, see Creating a Voice VNS Using the VNS Wizard on page 428. Voice Voice-specic VNS that can support various wireless telephones, including optiPoint, Data Data-specic VNS, that can be congured to use either SSID or AAA authentication. For Captive Portal A VNS that employs a Captive Portal page, which requires mobile users to provide login credentials when prompted to access network services. In addition, use the VNS wizard to congure a GuestPortal VNS using the Captive Portal option. For more information, see Creating a Captive Portal VNS Using the VNS Wizard on page 446. raft Use the VNS wizard to congure a NAC gateway-compatible VNS by dening the following essential parameters:

VNS Name The name that will be assigned to the VNS and SSID. IP Address The IP address of the ExtremeWireless controller's interface on the VLAN. Mask The subnet mask for the IP address to separate the network portion from the host portion of The ExtremeWireless controller integrates with an Extreme Networks NAC controller to provide authentication, assessment, remediation and access control for mobile users. For more information, see NAC Integration with the Wireless WLAN on page 24. The VNS type dictates the conguration information that is required during the VNS creation process. Creating a NAC VNS Using the VNS Wizard the address. VLAN ID ID number of the VLAN to which the ExtremeWireless controller is bridged for the VNS. Port Physical L2 port to which the congured VLAN is attached. RADIUS server IP address of the NAC controller. Redirection URL The URL that points to the NAC controllers web server. The VNS wizard creates a Bridge Traffic Locally at EWC VNS. This VNS has the crucial attributes SSID Network Assignment Type, MAC-based external captive portal authentication and WPA-PSK encryption ExtremeWireless V10.41.06 User Guide 426 Conguring a VNS that makes it compatible with the NAC controller. The remaining VNS parameters are dened automatically according to best practice standards. To congure a NAC VNS using the VNS wizard:

From the top menu, click VNS. 1 2 In the left pane, click New > START VNS WIZARD. D 3 In the Name box, type a name for the NAC SSID-based VNS. 4 In the Category drop-down list, click NAC VNS, and then click Next. raft ExtremeWireless V10.41.06 User Guide 4427 Conguring a VNS Table 74: NAC-compatible VNS Page - Fields and Buttons FField/Button Description IP Address Mask Interface VLAN ID Type the IP address of the ExtremeWireless Appliance's interface on the VLAN. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). From the drop-down list, select the physical port that provides the access to the VLAN. Type the VLAN tag to which the ExtremeWireless Appliance will be bridged for the VNS. Hostname/IP Shared Secret NAS D Server Alias From the drop-down list, click the interface/port through which the NAC gateway will communicate with the ExtremeWireless Appliance. The IP address in this eld will be used as the NAS IP RADIUS attribute when communicating with the NAC gateway. NAC Server Type the name or IP address of the NAC server. Type the NAC servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the ExtremeWireless Appliance and the NAC server. To proofread your shared secret key, click Unmask. The password is displayed. raft Note: You should always proofread your Shared Secret key to avoid any problems later when the wireless appliance attempts to communicate with the NAC controller. Type the NAC web server IP address. The VNS wizard creates a SSID-based NAC controller-compatible VNS, and displays the conguration summary. 6 To close the VNS wizard, click Close. If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. NAC web server IP 5 To save your changes, click Finish. Creating a Voice VNS Using the VNS Wizard Use the VNS wizard to create a voice-specic VNS that can support various wireless telephones, including optiPoint, Spectralink, Vocera, and Mobile Connect - Nokia. When you use the VNS wizard to create a voice-specic VNS, you optimize the voice VNS to support one wireless telephone vendor. If the voice VNS needs to be optimized for more than one wireless phone vendor, use the advanced method to create the voice-specic VNS. For more information, see Enabling and Disabling a VNS on page 485. When you create a new voice VNS using the VNS wizard, you congure the VNS in the following stages:

ExtremeWireless V10.41.06 User Guide 428 Conguring a VNS Basic settings Authentication settings, if applicable DHCP settings Privacy settings Radio assignment settings Summary To congure a Voice VNS using the VNS Wizard:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D raft 3 In the Name box, type a name for the voice VNS. 4 In the Category drop-down list, click Voice. 5 Click Next. The Basic Settings screen displays. Creating a Voice VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:

ExtremeWireless V10.41.06 User Guide 429 Conguring a VNS D Table 75: Voice VNS Basic Settings Page - Fields and Buttons FField/Button Description By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Click the VNS Mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the Click the wireless phone you want to support for the new voice VNS you are creating. Bridge Traffic Locally at EWC is a VNS type that has By default, the Synchronize check box for the new VNS is disabled. Identies the SSID assigned to the VNS. Identies the name of the VNS. Identies the VNS category. controller. associated with it a Topology with a mode of Bridge Traffic Locally at EWC. User traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Enabled Synchronize Name Category SSID Type Mode Routed Voice VNS ExtremeWireless V10.41.06 User Guide 430 Conguring a VNS Table 75: Voice VNS Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Type the controller's own IP address of the topology associated with that VNS. This IP address is also the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Gateway/SVP Vocera Server D PBX Server Enable Authentication If the voice VNS is to support Spectralink wireless phones, type the IP address of the SpectraLink Voice Protocol (SVP) gateway. If the voice VNS is to support Vocera wireless phones, type the IP address of the Vocera server. By default, this option is selected. Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. If applicable, select this check box to enable authentication for the new voice VNS. If the voice VNS is to support either WL2 or Mobile Connect - Nokia wireless phones, type the PBX IP address. raft Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). If the voice VNS is to support Spectralink wireless phones, type the IP address of the SpectraLink Voice Protocol (SVP) gateway. If the voice VNS is to support either WL2 or Mobile Connect - Nokia wireless phones, type the PBX IP address. If the voice VNS is to support Vocera wireless phones, type the IP address of the Vocera server. Type the VLAN tag to which the controller will be bridged for the VNS. If applicable, select this check box to enable authentication for the new voice VNS. Enable DHCP Interface Interface IP Mask VLAN ID Gateway/SVP Vocera Server PBX Server Enable Authentication Bridge Traffic Locally- Voice VNS Enable DHCP If applicable, select this check box to enable DHCP authentication for the new voice VNS. Click Next. The Authentication screen displays. Creating a Voice VNS Using the VNS Wizard - Authentication Settings Screen The AAuthentication screen displays:

ExtremeWireless V10.41.06 User Guide 431 Conguring a VNS D Table 76: Voice VNS Authorization Page - Fields and Buttons FField/Button Description Type a name you want to assign to the new RADIUS server. Click the RADIUS server you want to assign to the new voice VNS, or click Add New Server and then do the following raft Select the authentication role options for the RADIUS server:

MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the voice VNS. If applicable, and the MAC-based authentication option is Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. enabled, select to enable MAC-based authorization on roam. Click to display or hide your shared secret key. Click the RADIUS server you want to assign to the new data VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Radius Server Server Alias Click Next. The DHCP screen displays. Creating a Voice VNS Using the VNS Wizard - DHCP Screen The DDHCP screen displays:

ExtremeWireless V10.41.06 User Guide 432 Conguring a VNS D Table 77: Voice VNS DHCP Page - Fields and Buttons FField/Button Description DHCP Option raft From the drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server. The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) Local DHCP Server If applicable, edit the local DHCP DHCP Servers Type the IP address of the DHCP server to server settings. DNS Servers WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Privacy screen displays. ExtremeWireless V10.41.06 User Guide 433 Creating a Voice VNS Using the VNS Wizard - Privacy Screen The PPrivacy screen displays:

Conguring a VNS D 1 Most options on this screen are view-only, but you can do the following:

Pre-shared key Type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. 2 Click Next. The Radio Assignment screen displays. raft Creating a Voice VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:

ExtremeWireless V10.41.06 User Guide 434 Conguring a VNS D Table 78: Voice VNS Radio Assignment Page - Fields and Buttons FField/Button Description AP Default Settings Select the radios of the AP default settings prole that you want to broadcast the voice VNS. raft Select the group of APs that will broadcast the voice VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2.

(Wi-Fi Multimedia) If enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the out traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Radio 1 / Radio 2 AP Selection Select APs WMM Click Next. The Summary screen displays. ExtremeWireless V10.41.06 User Guide 435 Creating a Voice VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:

Conguring a VNS D conguration tabs. 1 Conrm your voice VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS raft When you create a new data VNS using the VNS wizard, you congure the VNS in the following stages:

Basic settings Authentication settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary Use the VNS wizard to create a data-specic VNS that can be congured to use either SSID or AAA authentication. Creating a Data VNS Using the VNS Wizard To congure a data VNS using the VNS wizard:

1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. ExtremeWireless V10.41.06 User Guide 436 Conguring a VNS 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D 3 In the Name box, type a name for the data VNS. 4 In the Category drop-down list, click Data. 5 Click Next. The Basic Settings screen displays. raft Creating a Data VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:

ExtremeWireless V10.41.06 User Guide 437 Conguring a VNS Table 79: Data VNS Basic Settings Page - Fields and Buttons FField/Button Description Enabled Synchronize Name Category SSID By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. By default, the Synchronize check box for the new VNS is disabled. Identies the name of the VNS. Identies the VNS category. Identies the SSID assigned to the VNS. Authentication Mode Click the type of network assignment for the VNS. There are two options for network assignment, Disabled or 802.1x. Mode D controller. Click the VNS mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the Bridge Traffic Locally at AP is a VNS type where user traffic is directly bridged to a VLAN at the AP network point of access

(switch port). Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. raft Type the controller's own IP address of the topology associated with that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). This option is enabled by default if the Type is 802.1x. Routed Data VNS Gateway Mask Enable Authentication Enable DHCP By default, this option is enabled for a routed data VNS. Bridged Traffic Locally @ AP Data VNS Tagged VLAN ID Untagged Enable Authentication Select if you want to assign this VNS to a specic VLAN. Type the VLAN tag to which the controller will be bridged for the data VNS. Select if you want this VNS to be untagged. This option is selected by default. If applicable, select this check box to enable authentication for the new data VNS. This option is enabled by default if the Type is 802.1x. ExtremeWireless V10.41.06 User Guide 438 Conguring a VNS Table 79: Data VNS Basic Settings Page - Fields and Buttons (continued) FField/Button Description Bridge Traffic Locally at EWC Data VNS Interface Click the physical port that provides the access to the VLAN. Interface IP address Type the IP address of the controllers interface on the VLAN. Mask VLAN ID Enable Authentication Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Type the VLAN tag to which the controller will be bridged for the VNS. If applicable, select this check box to enable authentication for the new data VNS. This option is enabled by default if the Type is 802.1x. If applicable, select this check box to enable DHCP authentication for the new data VNS. Enable DHCP D Click Next. The Authentication screen displays. Creating a Data VNS Using the VNS Wizard - Authentication Screen The AAuthentication screen displays:

raft ExtremeWireless V10.41.06 User Guide 439 Conguring a VNS Table 80: Data VNS Authentication Page - Fields and Buttons FField/Button Description Radius Server Server Alias Hostname/IP Shared Secret Click the RADIUS server you want to assign to the new data VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. Click Next. The DHCP screen displays. Creating a Data VNS Using the VNS Wizard - DHCP Screen If DHCP was enabled previously, the DDHCP screen displays:

Roles Mask/Unmask D Click to display or hide your shared secret key. Select the authentication role options for the RADIUS server:

MAC-based Authentication Select to enable the If applicable, and the MAC-based authentication RADIUS server to perform MAC-based authentication on the data VNS. option is enabled, select to enable MAC-based authorization on roam. raft ExtremeWireless V10.41.06 User Guide 440 Conguring a VNS Table 81: Data VNS DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) D settings. DNS Server WINS Click Next. The Filtering screen displays. Creating a Data VNS Using the VNS Wizard - Filtering Screen The FFiltering screen displays:

Type the IP Address of the Domain Name Servers to be used. Local DHCP Server If applicable, edit the local DHCP server Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 441 Conguring a VNS D 1 In the Filter ID drop-down list, click one of the following:

Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters raft 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. 3 Click Next. The Prviacy screen displays. The PPrivacy screen displays:

Creating a Data VNS Using the VNS Wizard - Privacy Screen ExtremeWireless V10.41.06 User Guide 442 Conguring a VNS D Table 82: Data VNS Privacy Page - Fields and Buttons FField/Button Description Select to congure static keys. Then enter:

WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. raft Select an Input Method:

Input Hex type the WEP key input in the WEP Key box. The key Specifying the WEP key index is supported only for AP37XX wireless APs. Select to allow the dynamic key WEP mechanism to change the key for each user and each session. and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. Input String type the secret WEP key string used for encrypting WEP Key Length Click the WEP encryption key length: 64 bit, is generated automatically based on the input. 128 bit, or 152 bit. Static Keys (WEP) Dynamic Keys ExtremeWireless V10.41.06 User Guide 443 Conguring a VNS Table 82: Data VNS Privacy Page - Fields and Buttons (continued) FField/Button Description WPA Select to congure Wi-Fi Protected Access (WPA v1 and WPA v2), a security solution that adds authentication to enhanced WEP encryption and key management. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-

down list, select one of the following encryption types:

Auto The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption protocol for WPAv1. It will not advertise CCMP. D WPA-PSK To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-

down list, click one of the following encryption types:

Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). raft AES only The AP advertises CCMP as an available encryption protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval, then type the time interval after which the broadcast encryption key is changed automatically. The default is 3600. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a Data VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:

ExtremeWireless V10.41.06 User Guide 444 Conguring a VNS D Table 83: Data VNS Radio Assignment Page - Fields and Buttons FField/Button Description Select the radios of the AP default settings prole that you want to broadcast the data VNS. raft Select the group of APs that will broadcast the data VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. AP Default Settings Radio 1 / Radio 2 AP Selection Select APs WMM

(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Click Next. The Summary screen displays. Creating a Data VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:

ExtremeWireless V10.41.06 User Guide 445 Conguring a VNS D The data VNS is created and saved. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. conguration tabs. If the controller is congured to be part of an availability pair, you can chose to synchronize the VNS on the secondary controller. See Availability and Session Availability on page 537 for more information. raft Use the VNS wizard to create a Captive Portal VNS. A Captive Portal VNS employs an authentication method that uses a Web redirection which directs a mobile user's Web session to an authentication server. Typically, the mobile user must provide their credentials (user ID, password) to be authenticated. You can create the following types of Captive Portal VNSs:

Internal Captive Portal The controllers own Captive Portal authentication page congured as an editable form is used to request user credentials. The redirection triggers the locally stored authentication page where the mobile user must provide the appropriate credentials, which then is checked against what is listed in the congured RADIUS server. Creating a Captive Portal VNS Using the VNS Wizard External Captive Portal An entity outside of the controller is responsible for handling the mobile user authentication process, presenting the credentials request forms and performing user authentication procedures. The external Web server location must be explicitly listed as an allowed destination in the non-authenticated lter. Firewall Friendly External Captive Portal A Firewall Friendly External Captive Portal VNS provides wireless connections to any device on the secure side (behind the Firewall). When you create a new captive portal VNS using the VNS wizard, you congure the VNS in the following stages:

ExtremeWireless V10.41.06 User Guide 4446 GuestPortal A GuestPortal VNS provides wireless device users with temporary guest network services. Conguring a VNS Basic settings Authentication settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary review Related Links Creating an Internal Captive Portal VNS on page 447 Creating an External Captive Portal VNS on page 456 Creating a Firewall Friendly External Captive Portal VNS on page 467 Creating a GuestPortal VNS on page 477 D To congure an Internal Captive Portal VNS using the VNS Wizard:

Creating an Internal Captive Portal VNS From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. raft 3 In the Name box, type a name for the Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. ExtremeWireless V10.41.06 User Guide 447 CCreating an Internal Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:

Conguring a VNS D Table 84: Captive Portal Basic Settings Page - Fields and Buttons Field/Button Description raft By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. Click the VNS Mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the controller. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Identies the SSID assigned to the VNS. Identies the name of the VNS. Click Internal Captive Portal Identies the VNS category. Enabled Name Category SSID Authentication Mode Mode Routed Internal Captive Portal ExtremeWireless V10.41.06 User Guide 448 Conguring a VNS Table 84: Captive Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Message Enable Authentication D Enable DHCP Type a brief message that will be displayed above the Login button that greets the mobile device user. By default, this option is selected if the VNS Type is Internal Captive Portal, which enables authentication for the new Captive Portal VNS. Interface Interface IP address Mask VLAN ID Message Enable Authentication Enable DHCP Bridge Traffic Locally- Voice VNS Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). By default, this option is selected if the VNS Type is Internal Captive Portal, which enables DHCP authentication for the new Captive Portal VNS. raft By default, this option is selected if the VNS Type is Internal Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Type a brief message that will be displayed above the Login button that greets the mobile device user. Type the VLAN tag to which the controller will be bridged for the VNS. Click Next. The Authentication screen displays. Creating an Internal Captive Portal VNS - Authentication Screen The AAuthentication screen displays:

ExtremeWireless V10.41.06 User Guide 449 Conguring a VNS D Table 85: Captive Portal Authentication Page - Fields and Buttons FField/Button Description Type a name you want to assign to the new RADIUS server. Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following raft Select the authentication role options for the RADIUS server:

Authentication By default, this option is selected if the VNS Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type is Internal Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. Type the password that will be used to validate the connection between the controller and the RADIUS server. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Click to display or hide your shared secret key. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Click Next. The DHCP screen displays. Creating an Internal Captive Portal VNS - DHCP Screen The DDHCP screen displays:

ExtremeWireless V10.41.06 User Guide 450 Conguring a VNS D Table 86: Captive Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to raft address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP Local DHCP Server If applicable, edit the local DHCP server settings. DNS Server WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Filtering screen displays. Creating an Internal Captive Portal VNS - Filtering Screen The FFiltering screen displays:

ExtremeWireless V10.41.06 User Guide 451 Conguring a VNS D 1 In the Filter ID drop-down list, click one of the following::

Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the ExtremeWireless Controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. raft Non-Authenticated Controls network access and also used to direct mobile users to a Captive 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. The Privacy screen displays. Portal web page for login. 3 Click Next. The PPrivacy screen displays:

CCreating an Internal Captive Portal VNS - Privacy Screen ExtremeWireless V10.41.06 User Guide 452 Conguring a VNS D raft ExtremeWireless V10.41.06 User Guide 4453 Conguring a VNS Table 87: Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:

WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. Select an Input Method:

Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. WPA-PSK D with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-

down list, select one of the following encryption types:

Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-

down list, click one of the following encryption types:

Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs.In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. ExtremeWireless V10.41.06 User Guide 454 Conguring a VNS CCreating an Internal Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:

D Table 88: Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description raft Select the group of APs that will broadcast the Captive Portal VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. AP Default Settings Radio 1 / Radio 2 AP Selection Select APs WMM

(Wi-Fi Multimedia) If enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Click Next. The Summary screen displays. ExtremeWireless V10.41.06 User Guide 455 Conguring a VNS CCreating an Internal Captive Portal VNS - Summary Screen The SSummary screen displays:

D 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. raft 1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. Creating an External Captive Portal VNS To congure an external Captive Portal VNS using the VNS wizard:

ExtremeWireless V10.41.06 User Guide 456 Conguring a VNS 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D 3 In the Name box, type a name for the Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. Creating an External Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:

raft ExtremeWireless V10.41.06 User Guide 457 Conguring a VNS D Table 89: External Captive Portal Basic Settings Page - Fields and Buttons FField/Button Description Enabled Synchronize Name Category SSID Authentication Mode Mode By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. Identies the SSID assigned to the VNS. Identies the name of the VNS. Click External Captive Portal Identies the VNS category. Click the VNS Mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the controller. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. ExtremeWireless V10.41.06 User Guide 458 Conguring a VNS Table 89: External Captive Portal Basic Settings Page - Fields and Buttons

(continued) FField/Button Description Routed External Captive Portal Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). EWC External Captive Portal VNS EWC Connection D Type the URL to which the wireless device user will be directed to after authentication. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the re0quest back to the controller to allow the controller to continue with the RADIUS authentication and ltering. raft Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. By default, this option is selected if the VNS Type is External Captive Portal, which enables DHCP services for the new Captive Portal VNS. Type the VLAN tag to which the controller will be bridged for the VNS. Click the physical interface that provides the access to the VLAN. Type the IP address of the controllers interface on the VLAN. Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Type the URL to which the wireless device user will be directed to after authentication. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Redirection URL Shared Secret Enable Authentication Enable DHCP Interface Interface IP address Mask VLAN ID EWC Connection Redirection URL Shared Secret ExtremeWireless V10.41.06 User Guide 459 Conguring a VNS Table 89: External Captive Portal Basic Settings Page - Fields and Buttons

(continued) FField/Button Description Enable Authentication Enable DHCP By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Click Next. The Authentication screen displays. Creating an External Captive Portal VNS - Authentication Screen The VNS wizard displays the appropriate conguration screens, depending on your selection of the Enable Authentication and Enable DHCP check boxes. D raft Table 90: External Captive Portal Authentication Page - Fields and Buttons Field/Button Description Radius Server Server Alias Hostname/IP Shared Secret Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. ExtremeWireless V10.41.06 User Guide 460 Conguring a VNS Table 90: External Captive Portal Authentication Page - Fields and Buttons

(continued) FField/Button Description Mask/Unmask Roles Click to display or hide your shared secret key. Select the authentication role options for the RADIUS server:

Authentication By default, this option is selected if the VNS Type is External Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. D Click Next. The DHCP screen displays. Creating an External Captive Portal VNS - DHCP Screen The DDHCP screen displays:

raft ExtremeWireless V10.41.06 User Guide 461 Conguring a VNS Table 91: External Captive Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) D settings. DNS Server WINS Click Next. The Filtering screen displays. Creating an External Captive Portal VNS - Filtering Screen The FFiltering screen displays:

Type the IP Address of the Domain Name Servers to be used. Local DHCP Server If applicable, edit the local DHCP server Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 462 Conguring a VNS 1 In the Filter ID drop-down list, click one of the following:

Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. Non-Authenticated Controls network access and also used to direct mobile users to a Captive Portal Web page for login. 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. 3 Click Next. The Privacy screen displays. CCreating an External Captive Portal VNS - Privacy Screen The PPrivacy screen displays:

D raft ExtremeWireless V10.41.06 User Guide 463 Conguring a VNS Table 92: External Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:

WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:

Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-

down list, select one of the following encryption types:

Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-

down list, click one of the following encryption types:

Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX Wireless APs. ExtremeWireless V10.41.06 User Guide 464 Conguring a VNS Table 92: External Captive Portal Privacy Page - Fields and Buttons (continued) FField/Button Description In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating an External Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:

D raft Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. Table 93: External Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description AP Default Settings Radio 1 / Radio 2 AP Selection ExtremeWireless V10.41.06 User Guide 465 Conguring a VNS Table 93: External Captive Portal Radio Assignment Page - Fields and Buttons

(continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. WMM D Click Next. The Summary screen displays. Creating an External Captive Portal VNS - Summary Screen The SSummary screen displays:

(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raft 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. ExtremeWireless V10.41.06 User Guide 466 Conguring a VNS 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Creating a Firewall Friendly External Captive Portal VNS To congure a Firewall Friendly External Captive Portal VNS using the VNS wizard:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, click New, then click START VNS WIZARD. The VVNS Creation Wizard displays. D raft 3 In the Name box, type a name for the Firewall Friendly Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Creating a Firewall Friendly External Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:

ExtremeWireless V10.41.06 User Guide 467 Conguring a VNS D Table 94: Firewall Friendly External Captive Portal Basic Settings Page - Fields and Buttons FField/Button Description raft By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. Click the VNS Mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the Identies the SSID assigned to the VNS. Identies the name of the VNS. Click External Captive Portal Identies the VNS category. controller. Enabled Name Category SSID Authentication Mode Mode Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. ExtremeWireless V10.41.06 User Guide 468 Conguring a VNS Table 94: Firewall Friendly External Captive Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Redirection URL D Shared Secret Enable Authentication Type the URL to which the wireless device user will be directed to after authentication. Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. By default, this option is selected if the VNS Type is External Captive Portal, which enables DHCP services for the new Captive Portal VNS. By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. raft Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Type the URL to which the wireless device user will be directed to after authentication. Type the VLAN tag to which the controller will be bridged for the VNS. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Enable DHCP Interface Interface IP address Mask VLAN ID EWC Connection Redirection URL Shared Secret Enable Authentication Enable DHCP By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Click Next. The Authentication screen displays. ExtremeWireless V10.41.06 User Guide 469 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - Authentication Screen The VNS wizard displays the appropriate conguration screens, depending on your selection of the Enable Authentication and Enable DHCP check boxes. D Table 95: Firewall Friendly External Captive Portal Authentication Page - Fields and Buttons Field/Button Description raft Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. Type a name you want to assign to the new RADIUS server. Click to display or hide your shared secret key. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Select the authentication role options for the RADIUS server:

Authentication By default, this option is selected if the VNS Type is External Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. Click Next. The DHCP screen displays. ExtremeWireless V10.41.06 User Guide 470 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - DHCP Screen The DDHCP screen displays:

D Table 96: External Captive Portal DHCP Page - Fields and Buttons Field/Button Description DHCP Option raft forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) In the DHCP Option drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to DHCP Servers If Use DHCP Relay was selected, type the IP Local DHCP Server If applicable, edit the local DHCP server settings. DNS Server WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Filtering screen displays. ExtremeWireless V10.41.06 User Guide 471 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - Filtering Screen The FFiltering screen displays:

raft In the Filter ID drop-down list, click one of the following:

Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. Non-Authenticated Controls network access and also used to direct mobile users to a Captive select the Enable check box accordingly. Portal Web page for login. 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then 3 Click Next. The Privacy screen displays. 1 Creating a Firewall Friendly External Captive Portal VNS - Privacy Screen The Privacy screen displays:

ExtremeWireless V10.41.06 User Guide 472 Conguring a VNS D raft ExtremeWireless V10.41.06 User Guide 4473 Conguring a VNS Table 97: External Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:

WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:

Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-

down list, select one of the following encryption types:

Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-

down list, click one of the following encryption types:

Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. ExtremeWireless V10.41.06 User Guide 474 Conguring a VNS Table 97: External Captive Portal Privacy Page - Fields and Buttons (continued) FField/Button Description Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a Firewall Friendly External Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:

aft Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. Table 98: External Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description AP Default Settings Radio 1 / Radio 2 AP Selection ExtremeWireless V10.41.06 User Guide 475 Conguring a VNS Table 98: External Captive Portal Radio Assignment Page - Fields and Buttons

(continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. Creating a Firewall Friendly External Captive Portal VNS - Summary Screen The SSummary screen displays:

WMM D Click Next. The Summary screen displays.

(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raf 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. ExtremeWireless V10.41.06 User Guide 476 Conguring a VNS Creating a GuestPortal VNS A GuestPortal provides wireless device users with temporary guest network services. A GuestPortal is serviced by a GuestPortal-dedicated VNS. A controller is allowed only one GuestPortal-dedicated VNS at a time. GuestPortal user accounts are administered by a GuestPortal manager. A GuestPortal manager is a login group GuestPortal managers must have their accounts created for them on the controller. For more information, see Working with GuestPortal Administration on page 690 The GuestPortal VNS is a Captive Portal authentication-based VNS that uses a database on the controller for managing user accounts. The database is administered through a simple, user-friendly graphic user interface that can be used by non-technical staff. The GuestPortal VNS can be a Routed or a Bridge Traffic Locally at the EWC VNS, with SSID-based network assignment. The GuestPortal VNS is a simplied VNS. It does not support the following:

RADIUS authentication or accounting MAC-based authorization Child VNS support D The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. When you create a new VNS using the VNS wizard, you congure the VNS in the following stages:

Basic settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary raft A GuestPortal account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. For more information, see Working with the Guest Portal Ticket Page on page 700. The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. Use the following high-level description to set up a GuestPortal on your system:

3 Congure availability, if applicable. 2 Congure the GuestPortal ticket. 1 Create a GuestPortal VNS. Availability maintains service availability in the event of a controller outage. For more information, see Availability and Session Availability on page 537. 4 Create GuestPortal manager and user accounts. For more information, see Working with GuestPortal Administration on page 690. 5 Manage your guest accounts and GuestPortal logs. For more information, see the Extreme Networks ExtremeWireless Maintenance Guide. Creating a GuestPortal VNS from an Existing VNS The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. A controller is allowed only one GuestPortal-dedicated VNS at a time. ExtremeWireless V10.41.06 User Guide 477 Conguring a VNS To create a GuestPortal VNS from an already sxisting VNS:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, select and expand the Virtual Networks pane. 3 Click on the VNS you want to congure as a GuestPortal VNS. The VNS conguration window CCore tab is displayed. 4 Select a precongured WLAN Service and click Edit, or press New to create a new WLAN Service. 5 In the Edit WLAN Service window, click the AAuth & Acct tab 6 In the Authentication Mode drop-down list, click GuestPortal. 7 To save your changes, click Save. Creating a New GuestPortal VNS Using the VNS Wizard To create a new GuestPortal VNS using the VNS Wizard:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, and then click START VNS WIZARD. D The VVNS Creation Wizard displays. raft 3 In the Name box, type a name for the GuestPortal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:

ExtremeWireless V10.41.06 User Guide 478 Conguring a VNS D Table 99: Guest Portal Basic Settings Page - Fields and Buttons FField/Button Description Identies the name of the VNS. By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Click the VNS Mode you want to assign:

Routed is a VNS type where user traffic is tunneled to the By default, the Synchronize check box for the new VNS is disabled. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Identies the SSID assigned to the VNS. Identies the VNS category. Click Guest Portal controller. Enabled Synchronize Name Category SSID Authentication Mode Mode Routed ExtremeWireless V10.41.06 User Guide 479 Conguring a VNS Table 99: Guest Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Bridge Traffic Locally at EWC Interface Interface IP address D Mask VLAN ID Enable DHCP Click the physical interface that provides the access to the VLAN. Type the IP address of the controllers interface on the VLAN. If applicable, select this check box to enable DHCP. Type the VLAN to which the controller will be bridged for the VNS. Then, select either Untagged or Tagged. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). raft Click Next. The DHCP screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - DHCP Screen The DDHCP screen displays:

ExtremeWireless V10.41.06 User Guide 480 Conguring a VNS Table 100: Guest Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:

Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway

(router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) Local DHCP Server If applicable, edit the local DHCP server settings. D DNS Server WINS Click Next. The Filtering screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Filtering Screen The FFiltering screen displays:

Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 481

 

 

Conguring a VNS 1 Congure the VNS ltering settings:

a In the Filter ID drop-down list, click one of the following:

Authenticated Controls network access after the user has been authenticated. Non-authenticated Controls network access and to direct users to a Captive Portal Web page for login. 2 In the Filter table, select the Enable check box for the desired lters, then select the Allow or Deny option buttons for each lter as needed. 3 At the bottom of the Filter list, select Allow or Deny for All Other Traffic. 4 Click Next. The Privacy screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:

D raft Description AP Default Settings Table 101: Guest Portal Radio Assignment Page - Fields and Buttons Field/Button Radio 1 / Radio 2 Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. AP Selection ExtremeWireless V10.41.06 User Guide 482 Conguring a VNS Table 101: Guest Portal Radio Assignment Page - Fields and Buttons (continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:

all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. The PPrivacy screen displays:

WMM D Click Next. The Summary screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Privacy Screen

(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raft ExtremeWireless V10.41.06 User Guide 483 Conguring a VNS Table 102: Guest Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:

WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:

Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-

down list, select one of the following encryption types:

Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-

down list, click one of the following encryption types:

Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. ExtremeWireless V10.41.06 User Guide 484 Conguring a VNS Table 102: Guest Portal Privacy Page - Fields and Buttons (continued) FField/Button Description In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:

D raft 1 Conrm your VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. If the controller is congured to be part of an availability pair, you can chose to synchronize the VNS on the secondary controller. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Enabling and Disabling a VNS By default, when a new VNS is created, the VNS is added to the system as an enabled VNS. A VNS can be enabled or disabled. Disabling a VNS provides the ability to temporarily stop wireless service on a VNS. The disabled VNS conguration remains in the database for future use. The controller can support the following VNSs:

ExtremeWireless V10.41.06 User Guide 485 Conguring a VNS Table 103: ExtremeWireless Appliance Active and Dened VNS Support PPlatform Dened VNSs Active VNSs C5110 C5210 C5215 C4110 C25 C35 V2110 (Small) 128 128 128 64 16 16 16 256 256 256 128 32 32 32 128 256 Renaming a VNS V2110 (Medium) 64 V2110 (Large) D From the top menu, click VNS. To enable or disable a VNS:

128 To rename a VNS:

1 2 In the left pane, expand the Virtual Networks pane and select the VNS to enable or disable. 3 On the CCore tab, in the Status box, select or de-select the Enable check box. 4 Click Save. The VNS is enabled or disabled accordingly. raft From the top menu, click VNS. 1 2 In the left pane expand the VVirtual Networks pane, then select the VNS you want to rename. 3 On the CCore tab, in the VNS Name eld, enter the new name. 4 Click Save. The VNS is renamed. You can delete a VNS that is no longer necessary. To delete a VNS:

From the top menu, click VNS. 1 2 In the left pane expand the VVirtual Networks pane, then select the VNS you want to rename. 3 On the CCore tab, click the Delete button. A pop-up window prompts you to conrm you want to Deleting a VNS delete the VNS. Click OK. 4 Click Save. The VNS is deleted. ExtremeWireless V10.41.06 User Guide 486 9 Conguring Classes of Service CClasses of Service Overview Conguring Classes of Service CoS Rule Classication Priority and ToS/DSCP Marking Rate Limiting The CoS denes actions to be taken when rate limits are exceeded. Classes of Service Overview D In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to a specic role is permitted. For more information on conguring roles, see Conguring Default VLAN and Class of Service for a Role on page 284. All incoming packets may follow these steps to determine a CoS:

Classication - identies the rst matching rule that denes a CoS. Marking - modies the L2 802.1p and/or L3 ToS based on CoS denition. Rate limiting (drop) is set. Transmit queue assignment. raft The CoS feature is a conguration entity containing QoS Marking (802.1p and ToS/DSCP), Inbound/

Outbound Rate Limiting and Transmit Queue Assignments. The CoS ToS marking capability allows for NAC-based redirection to different captive portals on the same WLAN (Wireless Local Area Network) Service. The supported CoS attributes are enforced on the controller (data plane) and on the APs. Conguring Classes of Service To congure Classes of Service:

1 From the top menu, click VNS. ExtremeWireless V10.41.06 User Guide 487 Conguring Classes of Service 2 In the left pane click Classes of Service. NNote

"No CoS" means that the traffic to which it is assigned will not be remarked, the controller software will decide the appropriate transmit queue and no rate limits will be applied on traffic traveling to or from the station to which the CoS is applied. The "No CoS" CoS is predened and cannot be removed. raft The CClass of Service conguration page displays. By default, the GGeneral tab displays. Table 104 describes the elds and buttons on the GGeneral tab. Alternately, click the New button to create a new CoS. 3 In the left pane, click the name of the Classes of Service that you want to edit. ExtremeWireless V10.41.06 User Guide 488 Conguring Classes of Service raft Priority override allows you to dene and force the traffic to a desired priority level. Priority override can be used with any combination. You can congure the service class and the DSCP values. Select this check box to use Priority Override dened in the WLAN as in previous releases. For more information, see Conguring the Priority Override on page 370. Enter a name to assign to this class of service. Table 104: General Tab - Fields and Buttons FField/Button Description Core Name Marking Use Legacy Priority Override dened in the WLAN Service 802.1p Priority Select this check box to dene how the Layer 2 priority of the packet will be marked. From the drop-down list, select Priority 0 to Priority 7. For more information, see Priority and ToS/DSCP Marking on page 491. Note:

This selection is not available if Legacy Priority Override is checked. ExtremeWireless V10.41.06 User Guide 489 Conguring Classes of Service Table 104: General Tab - Fields and Buttons (continued) FField/Button Description ToS/DSCP Marking Select this check box to dene how the Layer 3 ToS/DSCP will be marked. Enter a hexadecimal value in the 0x (DSCP:) eld, or Click the Select button to open the ToS/DSCP Conguration dialog. For more information, see Conguring ToS/DSCP Marking on page 491. Note:

This selection is not available if Legacy Priority Override is checked. Mask: 0x D Rate Limiting Inbound Rate Limit Displays the hexadecimal value to use for the ToS/DSCP value. For example, if the mask is 0xF0, then only the four most signicant bits of the ToS of the received packets are marked. So, if the received ToS is 0x33 and the ToS marking is set to 0x2A, then the resulting ToS is 0x22. Outbound Rate Limit Transmit Queue Assignment Transmit Queue Select this check box, and then select an inbound rate limit from the drop-down list or click the New button to create a new inbound rate limit prole. To edit an existing inbound rate limit prole, select the prole from the drop-down list and then click the Edit button. For more information, see Rate Limiting on page 492. raft Select this check box, and then select an outbound rate limit from the drop-down list or click the New button to create a new outbound rate limit prole. To edit an existing outbound rate limit prole, select the prole from the drop-down list and then click the Edit button. For more information, see Rate Limiting on page 492. Select this check box, and select a Transmit Queue from the drop-

down list. The Transmit Queue assignment is an override to the default TXQ assignment specied in the 802.1p priority, but without remarking the actual 802.1p eld. CoS Rule Classication Classication is the process of nding the rst matching rule that denes a CoS for an incoming packet. The order of classication is as follows:

1 Use the CoS assigned by the rst role rule matched by the packet that explicitly assigns a CoS. 2 If no CoS found, use the default CoS of the Role. 3 If still no CoS found, use the default CoS of the WLAN (for non-auth role). For inbound traffic, classication is done at the AP (if AP Filtering is enabled), otherwise it is done at the controller. For outbound traffic, classication is always done at the controller. ExtremeWireless V10.41.06 User Guide 490 Conguring Classes of Service The Rule that assigns authorization (Access Control) may not be the same rule that assigns CoS. Therefore, up to two passes are made through the policy rules for each packet. If the rst pass results in the packet being allowed a second pass will take place to classify the packet for CoS. The rst pass looks for authorization (allow, deny). The second pass classies and assigns the CoS. The number of rules reported to Policy Manager are limited to the number of rules allowed on the controller. On the controller, a single rule can contain different classication types whereas for Policy Manager this rule may be split into several rules. For example, if a rule denes an IP source address and also a ToS value, then this rule would be split into an IP type and a ToS type. Rules exceeding the limit after splitting will be dropped. From the CClass of Service General tab, click ToS/DSCP Marking. 1 2 Click the Select button. The TToS/DSCP Conguration dialog displays:

Priority and ToS/DSCP Marking After packets are classied, they are assigned a nal User Priority (UP) value. The Priority and ToS/

DSCP Marking bits to be applied to the packet is taken from the CoS and if not set, the received value

(ToS/DSCP) is used. ToS/DSCP Marking rewrites the Layer 3 Type of Service (ToS) byte. D Conguring ToS/DSCP Marking To congure ToS/DSCP marking:

raft Note Select either Type of Service (ToS) or Diffserv Codepoint (DSCP) from this dialog. You cannot congure both types. ExtremeWireless V10.41.06 User Guide 491 Conguring Classes of Service 3 If you select Type of Service (ToS):

a Select a Precedence value from the drop-down list. b Select a specic ToS from the following list:

Delay Sensitive High Throughput High Reliability Explicit Congestion Notication 4 If you select Diffserv Codepoint (DSCP):

Choose a Well-known Value, or Enter a Raw Binary Value Rate Limiting table. 9 If still no UP, use received DSCP value and map to UP with WLANs DSCP-to-UP mapping table. 5 Close the CConguration dialog. The logic used to nd the nal User Priority (UP) depends on the CoS, the received UP, or the nal ToS/

DSCP value. Here are the steps followed to determine the nal UP:

6 Use UP markings dened in CoS (directly or via Legacy UP override). 7 If still no UP, use UP from the received packet. 8 If still no UP, use DSCP marking dened in CoS and map to UP with WLANs DSCP-to-UP mapping D The Inbound and Outbound Rate Limit is enforced on a per-station basis whether the rate limit is assigned to a rule, role or WLAN. Each station has its own set of counters that are used to monitor its wireless network utilization. Traffic from other stations never count against a station's rate limits. Controllers support up to 128 system wide rate proles when managed from the controller. Each role can use a maximum of 9 inbound rate proles and 9 outbound rate proles. For each raft If two or more rules in the same role assign the same named rate prole to a station's packets, then those rules "share" the rate prole. In Figure 147, a role's rules assign both HTTP and FTP traffic to the same rate limiter. The sum of the amounts of HTTP and FTP traffic determine whether the rate limit is being exceeded. Each station gets its own set of rate limiters. So the HTTP and FTP traffic of other stations never gets counted against a station's own rate prole limits. direction there can be one rate prole assigned by the role's default CoS and 8 other rate proles assigned by the role's rules. There is no limit to how many rules allow CoS assignments as long as there are never more than 8

+ 8 rate proles assigned by Classes of Service. ExtremeWireless V10.41.06 User Guide 492 Conguring Classes of Service Figure 147: Rate Limiter Example D raft ExtremeWireless V10.41.06 User Guide 4493 10 Conguring Sites VVNS Sites Overview Conguring Sites Recommended Deployment Guidelines Radius Conguration Selecting AP Assignments Selecting WLAN Assignments VNS Sites Overview assigned, the controller preloads the APs with the server conguration used by the Site. A WLAN (Wireless Local Area Network) Assignments tab lists available WLAN Services and specic When conguring a Site prole, two additional tabs are included:

An AP Assignments tab provides a list of APs that can be assigned to a specic Site. Once an AP is D A Site is a mechanism for grouping APs and refers to specic Roles, CoS (Class of Service) and RADIUS servers that are grouped to form a single conguration. Sites allow for deployment where the authentication server is local and provides the ability to associate a new 802.1x client and to allow 802.1x clients to roam with Fast Roaming when the APs home controller is unreachable. raft Topology groups for sites is not supported. You can add a WLAN or Role to a site if it does not use a topology group. You can change the conguration of a WLAN, Role, and VNS to use a topology group, but if the WLAN, Role, or VNS is part of the Site conguration, the Site conguration will become invalid. At that point, you must remove the topology group related conguration from the site conguration. The number of sites supported on each controller model is equal to the number of APs supported. For more information, see Table 4 on page 30. radio assignments. WLAN Services can be assigned in the same way as AP Load Groups (see Conguring Co-Located APs in Load Balance Groups on page 213). Conguring Sites A site can also use any Bridged at AP, Bridged at Controller, or Routed Topology dened in the controller. Once an AP is assigned to a site, the controller will preload the AP with Topologies, Roles, CoS and RADIUS server conguration used by the site. The AP will then be able to use these conguration items even when the controller is unreachable. An AP that is part of a site that has local RADIUS client services enabled will use its own RADIUS client to do the following:

Perform all MAC-based authentication for all stations associated with it on any of the WLAN Services assigned to it. ExtremeWireless V10.41.06 User Guide 494 Conguring Sites Perform all RADIUS server interactions for 802.1x authentications for all stations associated with it on any 802.1x WLAN Service assigned to it. Perform all user authentication for all stations associated with it on any of the FF-ECP WLAN Services required user authentication. Recommended Deployment Guidelines The Sites feature introduces new and complex interactions between hardware and software components. Sites are recommended for customers who have an AP-to-controller link (in a normal deployment) which they expect will be disconnected for long periods of time, but still expect to give service to users. NNote For best performance and maintainability, do not use the Sites feature if the AP-to-controller link is normally connected. D controller link:

Tunneled/Routed topologies RADIUS accounting Captive Portal The following guidelines are recommended to congure a secure and easy-to-maintain Site:

Use 802.1x and WPA2 Enterprise authentication and privacy. Do not use MAC-based authentication (MBA) unless absolutely required. Do not use more than 32 policy rules within a single AP lter. Do not congure a Sites AP Session Availability function without an AP-to-controller link. Do not congure the following features in a Sites conguration since they rely on a consistent AP-to-

raft From the top menu, click VNS. 1 Dening Roles, CoS, and RADIUS Servers for Local RADIUS Authentication ExtremeWireless V10.41.06 User Guide 495 2 In the left pane, click Sites. The SSites screen displays. Conguring Sites D raft ExtremeWireless V10.41.06 User Guide 496 Conguring Sites 3 In the left pane, click the name of the Site that you want to edit, or click the New button to create a new Site. The SSite conguration page displays. By default, the CConguration tab displays. Table 105 describes the elds and buttons on the Conguration tab. ft Table 105: Conguration Tab - Fields and Buttons Field/Button Description Site Name Local Radius Authentication Default DNS Server Enter a name to assign to this Site.The name is unique among Sites on the controller. AP load group names and Site names are part of the same space so a load group and a Site cannot have the same name. Select this check box to choose a local RADIUS Server for login credentials and authentication. This eld is used to resolve RADIUS server names to IP addresses if necessary. ExtremeWireless V10.41.06 User Guide 497 Conguring Sites Table 105: Conguration Tab - Fields and Buttons (continued) FField/Button Description Roles to download to member APs CoS to download to member APs RADIUS Server used Select roles that will be applied to APs with this specic Site conguration. Physical topologies and third party AP enabled topologies cannot be assigned to a Site. Displays the Class of Service that will be applied to APs with this specic Site conguration. Displays the list of available RADIUS servers used for this Site (for more information, see Radius Conguration on page 499). The RADIUS servers assigned to a Site override the list of RADIUS servers in the WLAN Service denition for APs that are part of the Site. Status:

Synchronize: (unknown) D Advanced Button Select this check box to enable automatic synchronization with an availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this Site is part of an availability pair, Extreme Networks recommends that you enable this feature. Secure Tunnel This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:

Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/

WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@AP Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. raft Debug mode An IPSEC tunnel is established from the AP to the controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: This option is not available for AP3805 models. Secure Tunnel Lifetime Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. When Secure Tunnel is enabled, enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Only applies if both the AP and controller are running V8.31 or newer. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. ExtremeWireless V10.41.06 User Guide 498 Conguring Sites Table 105: Conguration Tab - Fields and Buttons (continued) FField/Button Description Encrypt control traffic between APs Band Preference Load Control Select check box to provide encryption, authentication, and key management between APs and/or controllers. Select this check box to enable APs to become members of both this Site and a load group at the same time. Select the following parameters for each radio assigned to this Site:

Enable: Select this check box to enable Radio Load Control (RLC) for individual radios (Radio1 and Radio2) associated with this Site. Max. # of Clients: Enter the maximum number of clients for Radio 1 and Radio 2. The default limit is 60. The valid range is: 5 to 60. Strict Limit: Select this check box to enable a strict limit on the number of clients allowed on a specic radio, based on the max # of clients allowed. Limits can be enforced separately for radio1 and radio 2. Radius Conguration D RADIUS Authentication:

Replace Called Station ID with Zone A single Site denition can be congured with one or two RADIUS servers. The RADIUS servers assigned to a Site can only be selected from the list of servers displayed on the RRADIUS Conguration dialog. To select site RADIUS servers:

Select this check box to allow the RADIUS client to send the AP Zone as the Called-Station ID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. raft 1 From the CConguration tab, under RADIUS Server used, click Congure. The RRADIUS Conguration dialog displays. 2 Select a RADIUS server from the list of available servers and click the right-arrow button. ExtremeWireless V10.41.06 User Guide 499 Conguring Sites The server will be moved under the RADIUS Servers used list. 3 Click the Move Up or Move Down buttons to change the order of the RADIUS Servers used. 4 Click the Advanced button. The RRADIUS Advanced Conguration dialog appears. D 5 The following values can be edited:

MS-CHAP2). alternate name in the box provided. an alternate IP Address in the box provided. NAS Identier Click the check box to use the name of the existing VNS server, or enter an NAS IP Address Click the check box to use the existing IP address of the VNS server, or enter Auth. type Select an authorization protocol from the drop-down list (PAP, CHAP, MS-CHAP, or Password To override the default password (see VNS Global Settings on page 392) for MBA -

MAC Based authorization only. Select Mask to display the password, and select Unmask to hide the entry. 6 Click Close. raft 1 Go to VNS > Sites. 2 Select a site and click the AAP Assignments tab. To select AP assignments:

Selecting AP Assignments ExtremeWireless V10.41.06 User Guide 500 3 Select the APs to apply to the Site conguration. Conguring Sites D Selecting WLAN Assignments To select WLAN Assignments:

conguration. 4 Click Save. 1 Go to VNS > Sites. 2 Select a site and click the WWLAN Assignments tab. 3 Select Radio assignments (Radio 1 and Radio 2) for specic WLANs that will be applied to this Site raf ExtremeWireless V10.41.06 User Guide 501 11 Working with a Mesh Network AAbout Mesh Simple Mesh Conguration Wireless Repeater Conguration Wireless Bridge Conguration Examples of Deployment Mesh WLAN Services Key Features of Mesh Deploying the Mesh System Changing the Pre-shared Key in a Mesh WLAN Service D About Mesh A Mesh deployment is ideally suited for locations where installing Ethernet cabling is too expensive, or physically impossible. Mesh networks enable you to expand the wireless network by interconnecting the wireless APs through wireless links in addition to the traditional method of interconnecting wireless APs via a wired network. In a Mesh deployment, each node not only captures and disseminates its own data, but it also serves as a relay for other nodes, that is, it collaborates to propagate the data in the network. raft The Mesh network can be deployed in three congurations:

Simple Mesh Conguration Wireless Repeater Conguration Wireless Bridge Conguration In a typical Mesh conguration, the APs are connected to the distribution system via an Ethernet network, which provides connectivity to the ExtremeWireless Appliance. Simple Mesh Conguration However, when an AP is installed in a remote location and cant be wired to the distribution system, an intermediate AP is connected to the distribution system via the Ethernet link. This intermediate AP forwards and receives the user traffic from the remote AP over a radio link. The intermediate AP that is connected to the distribution system via the Ethernet network is called Mesh portal, and the AP that is remotely located is called the Mesh AP. Figure 148 illustrates the Simple Mesh conguration:

ExtremeWireless V10.41.06 User Guide 502 Working with a Mesh Network D Figure 148: Simple Mesh Conguration Wireless Repeater Conguration In Wireless Repeater conguration, a Mesh AP is installed between the Mesh Portal and the destination Mesh AP. The Mesh AP relays the user traffic between the Mesh Portal and the destination Mesh AP. This increases the WLAN (Wireless Local Area Network) range. Figure 149 illustrates the Wireless Repeater conguration:

raft ExtremeWireless V10.41.06 User Guide 503 Working with a Mesh Network D Figure 149: Wireless Repeater Conguration NNote You should restrict the number of repeater hops in a Wireless Repeater conguration to three for optimum performance. raft In Wireless Bridge conguration, the traffic between two APs that are connected to two separate wired LAN segments is bridged via Mesh link. You may also install a Mesh AP between the two Wireless APs connected to two separate LAN segments. Wireless Bridge Conguration Figure 150: Wireless Bridge Conguration When you are conguring the Wireless Bridge conguration, you must specify on the user interface that the Mesh AP is connected to the wired LAN. ExtremeWireless V10.41.06 User Guide 504 Working with a Mesh Network Examples of Deployment The following illustration depicts a few examples of Mesh deployment. D Figure 151: Examples of Mesh Deployment Mesh WLAN Services In a traditional WLAN deployment, each radio of the AP can interact with the client devices on a maximum of eight networks. In Mesh deployment, one of the radios of every Mesh AP establishes a Mesh link on an exclusive WLAN Service. The Mesh AP is therefore limited to seven network WLAN Services on the Mesh radio. The other radio can interact with the client-devices on a maximum of eight WLAN Services. raft The WLAN Service on which the APs establish the Mesh link is called the Mesh WLAN Service. A Mesh can be setup either by using either a single Mesh WLAN Service or multiple Mesh WLAN Services. The following gures illustrate the point. In Figure 152 on page 506:

The rectangular enclosure denotes an office building. The four wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the connes of the building and are connected to the wired network. The space around the office building is a warehouse. The solid arrows point towards Current Parents. The dotted arrows point towards Alternative Parents. ExtremeWireless V10.41.06 User Guide 505 Working with a Mesh Network Mesh Setup with a Single Mesh WLAN Service D Figure 152: Deployment Example Deploying the Mesh for the above example using a single Mesh WLAN Service results in the following structure shown in Figure 153. The tree will operate as a single Mesh entity. It will have a single Mesh SSID and a single pre-shared key for Mesh links. This tree will have multiple roots. For more information, see Multi-Root Mesh Topology on page 511. raft ExtremeWireless V10.41.06 User Guide 506 Working with a Mesh Network ftFigure 153: Mesh Setup with a Single Mesh WLAN Service Mesh Setup with Multiple Mesh WLAN Services You can also deploy the same Mesh in Figure 152 on page 506 using two Mesh WLAN Services. The Two Mesh WLAN Services will create two independent Mesh trees. Both the trees will operate on separate SSIDs and use separate pre-shared keys. ExtremeWireless V10.41.06 User Guide 507 Working with a Mesh Network Figure 154: Mesh Setup with Multiple Mesh WLAN Services ExtremeWireless V10.41.06 User Guide 5508 Working with a Mesh Network Key Features of Mesh Some key features of Mesh are:

Self-Healing Network on page 509 Tree-like Topology on page 509 Radio Channels on page 510 Multi-Root Mesh Topology on page 511 Figure 156 on page 511 Self-Healing Network Tree-like Topology Data in a Mesh network propagates along a path, by hopping from node to node until the destination is reached. To ensure that all its paths' availability, the Mesh network allows for continuous connections and reconguration around broken or blocked paths, referred to as self-healing. The self-healing capability enables a routing based network to operate when one node breaks down or a connection goes bad. D The APs in Mesh conguration can be regarded as nodes, and these nodes form a tree-like structure. The tree builds in a top down manner with the Mesh Portal being the tree root, and the Mesh AP being the tree leaves. The nodes in the tree-structure have a parent-child relationship. The Mesh AP dynamically selects the best parent for connecting to the Mesh portal. A Mesh AP can have the role of both parent and child at the same time and the APs role can change dynamically. raft Figure 155 on page 510 illustrates the parent-child relationship between the nodes in a Mesh topology. Mesh Portal is the parent of Mesh AP 1. Mesh AP 1 is the child of Mesh Portal. Mesh AP 1 is the parent of Mesh AP 2. Mesh AP 2 is the child of Mesh AP 1. Mesh AP 2 is the parent of the following Wireless APs:

Mesh AP 5 Mesh AP 4 Mesh AP 3 All the three Mesh APs are the children of Mesh AP 2. ExtremeWireless V10.41.06 User Guide 5509 Working with a Mesh Network aftFigure 155: Parent-Child Relationship Between Wireless APs in Mesh Conguration NNote If an AP is congured to serve as a scanner in Radar, it cannot be used in a Mesh tree. For more information, see Working with ExtremeWireless Radar on page 563. Note It is recommended that you limit the number of APs participating in a Mesh tree to 50. This limit guarantees decent performance in most typical situations. Radio Channels All APs in a mesh deployment must have Mesh congured on the same radio. On the backhaul radio, the following settings must be set the same way for all APs in the Mesh:

Radio mode ExtremeWireless V10.41.06 User Guide 510 Working with a Mesh Network Minimum Basic Rate Multi-Root Mesh Topology A Mesh topology can have multiple Mesh Portals. Figure 156 illustrates the multiple-root Mesh topology. aft Figure 156: Multiple-Root Mesh Topology Link Security The Mesh link is encrypted using Advance Encryption Standard (AES). NNote The keys for AES are congured prior to deploying the Repeater or Mesh APs. Deploying the Mesh System Before you start conguring the Mesh APs, you must ensure the following:

The APs that are part of the wired WLAN are connected to the wired network. ExtremeWireless V10.41.06 User Guide 511 Working with a Mesh Network The wired APs that will serve as the Mesh Portal of the proposed Mesh topology are operating normally. The WLAN is operating normally. Planning the Mesh Topology You may sketch the proposed WLAN topology on er before you start the Mesh deployment process. You should clearly identify the following in the sketch:

Mesh APs with their names Radios that you will choose to link the APs Provisioning the Mesh Wireless AP D This step is of crucial importance and involves connecting the Mesh APs to the enterprise network via the Ethernet link. This is done to enable the Mesh APs to connect to the wireless controller so that they can derive their Mesh conguration. The Mesh APs conguration includes pre-shared key and its role, preferred parent name and the backup parent name. Note The provisioning of Mesh APs must be done before they are deployed at the target location. If the APs are not provisioned, they will not work at their target location. raft 3 Creating a Mesh VNS. 4 Assigning roles, parents and backup parents to the Mesh wireless APs. 5 Assigning the Mesh APs radios to the network VNSs. 6 Connecting the Mesh APs to the enterprise network via the Ethernet link for provisioning. For more discover and register themselves with the wireless controller. For more information, see Discovery and Registration on page 120. 2 Disconnecting the Mesh APs from the enterprise network after they have discovered and registered 1 Connecting the Mesh APs to the enterprise network via the Ethernet network to enable them to The following is the high-level overview of the Mesh deployment process:

with the wireless controller. Mesh Deployment Overview information, see Provisioning the Mesh Wireless AP on page 512. 7 Disconnecting the Mesh APs from the enterprise network and moving them to the target location. Note During the Mesh deployment process, the Mesh APs are connected to the enterprise network on two occasions rst to enable them to discover and register with the wireless controller, and then the second time to enable them to obtain the provisioning from the wireless controller. ExtremeWireless V10.41.06 User Guide 512 Working with a Mesh Network Connecting the Mesh APs to the Network for Discovery and Registration Connect each Mesh wireless AP to the enterprise network to enable it to discover and register itself with the wireless controller. NNote Before you connect the Mesh APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the wireless controller is dened according to your security needs. The Security mode property dictates how the wireless controller behaves when registering new and unknown devices. For more information, see Wireless AP Registration on page 123. If the Security mode is set to Allow only approved Wireless APs to connect (this is also known as secure mode), you must manually approve the Mesh APs after they are connected to the network for the discovery and registration. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. Conguring the Mesh Wireless APs Through the Controller Depending upon the number of Ethernet ports available, you may connect one or more Mesh wireless APs at a time, or you may connect all of them together. D Conguring the Mesh wireless APs involves the following steps:

1 Creating a Mesh WLAN Service. 2 Dening the SSID name and the pre-shared key. Once a Mesh wireless AP has discovered and registered itself with the wireless controller, disconnect it from the enterprise network. raft For ease of understanding, the Mesh conguration process is explained with an example. Figure 157 on page 514 depicts a site with the following features:

An office building, denoted by a rectangular enclosure. Four APs Ardal, Arthur, Athens and Auberon are within the connes of the building, and are The space around the building is the warehouse. The solid arrows point toward Current Parents. The dotted arrows point toward Alternative Parents. connected to the wired network. ExtremeWireless V10.41.06 User Guide 513 Working with a Mesh Network D Figure 157: Mesh Deployment To congure the Mesh wireless APs through the controller:

NNote With the single Mesh VNS, the tree structure for the Mesh deployment will be as depicted on the bottom right of Figure 157. You can also implement the same deployment using four Mesh VNSs, each for a set of APs in the four corners of the building. Each set of APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see Figure 151 on page 505. raft Before conguring Mesh, be sure that the following conditions are met:

Energy Save is set to Off Beacon Interval is set to 100 msec AP names are 32 characters or less for statistics display purposes ATPC and DCS are both disabled. If possible, follow these guidelines for the backhaul radio to achieve a balance of stability, throughput, and latency:

Use a 5.2 GHz band for backhaul Select a non-DFS channel for the Mesh Portal Use a 40 MHz Channel Width and Short guard interval Disable Aggregate MSDUs Enable Aggregate MPDUs Enable ADDBA support Congure the settings on the Radio conguration page the same for all APs in the Mesh. Set the Poll Timeout to be at least 60 seconds. ExtremeWireless V10.41.06 User Guide 514 Working with a Mesh Network From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a Mesh service to edit or click the New button. 3 Enter a name for the service in the Name eld. 4 The SSID eld is automatically lled in with the name, but you can change it if desired. 5 For Service Type, select Mesh. raft 6 To save your changes, click Save. The WWLAN conguration window is re-displayed to show additional conguration elds. ExtremeWireless V10.41.06 User Guide 515 Working with a Mesh Network D 7 In the Mesh Pre-shared Key box, type the key. NNote The pre-shared key must be 8 to 63 characters long. The Mesh APs use this pre-shared key to establish a Mesh link between them. raft Note Changing the pre-shared key after the Mesh is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a Mesh WLAN Service on page 517. Note After you save the conguration, you cannot change the backhaul radio. Please congure this setting wisely. 8 Assign a backhaul radio. 9 To save your changes, click Save. Note The Mesh Bridge feature on the user interface relates to Mesh Bridge conguration. When you are conguring the Mesh Bridge topology, you must select Mesh Bridge for Mesh AP that is connected to the wired network. For more information, see Wireless Bridge Conguration on page 504. ExtremeWireless V10.41.06 User Guide 516 Working with a Mesh Network Connecting the Mesh Wireless APs to the Enterprise Network for Provisioning You must connect the Mesh wireless APs to the enterprise network once more to enable them to obtain their conguration from the wireless controller. The conguration includes the pre-shared key, the APs role, preferred parent and backup parent. For more information, see Provisioning the Mesh Wireless AP on page 512. WWarning If you skip this step, the Mesh APs will not work at their target location. Moving the Mesh Wireless APs to the Target Location Changing the Pre-shared Key in a Mesh WLAN Service To Change the Pre-shared Key in a Mesh WLAN Service Note If you change any of the following radio properties of a Mesh AP, the Mesh AP will reject the change: disabling the radio on which the Mesh link is established,lowering the radios Tx Power of a radio on which the Mesh link is established, or changing the country. D 1 Disconnect the Mesh APs from the enterprise network, and move them to the target location. 2 Install the Mesh APs at the target location. 3 Connect the APs to a power source. The discovery and registration processes are initiated. raft 4 Check the Mesh Statistics report page to ensure that all the Mesh APs have connected to the wireless controller via the new Mesh VNS. For more information, see Viewing Statistics for APs on page 627. 5 Delete the old Mesh WLAN Service. For more information, see Deleting a VNS on page 486. 1 Create a new Mesh WLAN Service with a new pre-shared key. 2 Assign the RF of the APs from the old Mesh to the new Mesh WLAN Service. 3 Wait at least 30 seconds to ensure that all APs got the conguration, then disable the old Mesh WLAN service. ExtremeWireless V10.41.06 User Guide 517 12 Working with a Wireless Distribution System AAbout WDS Simple WDS Conguration Wireless Repeater Conguration Wireless Bridge Conguration Examples of Deployment WDS WLAN Services Key Features of WDS Deploying the WDS System Changing the Pre-shared Key in a WDS WLAN Service D About WDS The Wireless Distribution System (WDS) enable you to expand the wireless network by interconnecting the wireless APs through wireless links in addition to the traditional method of interconnecting APs via a wired network. A WDS deployment is ideally suited for locations, where installing Ethernet cabling is too expensive, or physically impossible. raft The WDS can be deployed in three congurations:

Simple WDS Conguration Wireless Repeater Conguration Wireless Bridge Conguration In a typical WDS conguration, the wireless APs are connected to the distribution system via an Ethernet network, which provides connectivity to the wireless controller. Simple WDS Conguration However, when an AP is installed in a remote location and cant be wired to the distribution system, an intermediate AP is connected to the distribution system via the Ethernet link. This intermediate AP forwards and receives the user traffic from the remote AP over a radio link. The intermediate AP that is connected to the distribution system via the Ethernet network is called Root AP, and the AP that is remotely located is called the Satellite AP. Figure 158 illustrates the Simple WDS conguration:

ExtremeWireless V10.41.06 User Guide 518 Working with a Wireless Distribution System D Figure 158: Simple WDS Conguration Wireless Repeater Conguration In Wireless Repeater conguration, a Repeater wireless AP is installed between the Root AP and the Satellite AP. The Repeater AP relays the user traffic between the Root AP and the Satellite AP. This increases the WLAN (Wireless Local Area Network) range. Figure 159 illustrates the Wireless Repeater conguration:

raft ExtremeWireless V10.41.06 User Guide 519 Working with a Wireless Distribution System D Figure 159: Wireless Repeater Conguration NNote You should restrict the number of repeater hops in a Wireless Repeater conguration to three for optimum performance. raft In Wireless Bridge conguration, the traffic between two wireless APs that are connected to two separate wired LAN segments is bridged via WDS link. You may also install a Repeater AP between the two APs connected to two separate LAN segments. Wireless Bridge Conguration Figure 160: Wireless Bridge Conguration When you are conguring the Wireless Bridge conguration, you must specify on the user interface that the Satellite AP is connected to the wired LAN. ExtremeWireless V10.41.06 User Guide 520 Working with a Wireless Distribution System Examples of Deployment Examples of Deployment on page 521 illustration depicts a few examples of WDS deployment. D Figure 161: Examples of WDS Deployment WDS WLAN Services In a traditional WLAN deployment, each radio of the wireless AP can interact with the client devices on a maximum of eight networks. In WDS deployment, one of the radios of every WDS AP establishes a WDS link on an exclusive WLAN Service. The WDS AP is therefore limited to seven network WLAN Services on the WDS radio. The other radio can interact with the client-devices on a maximum of eight WLAN Services. raft Note The root wireless AP and the Repeater APs can also be congured to interact with the client-

devices. For more information, see Assigning the Satellite Wireless APs Radios to the Network WLAN Services on page 535. A WDS can be setup either by using either a single WDS WLAN Service or multiple WDS WLAN Services. The following gures illustrate the point. Figure 162 on page 522 shows:

The rectangular enclosure denotes an office building. The four wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the connes of the The WLAN Service on which the APs establish the WDS link is called the WDS WLAN Service. building and are connected to the wired network. The space around the office building is a ware house. The solid arrows point towards Preferred Parents. The dotted arrows point towards Backup Parents. ExtremeWireless V10.41.06 User Guide 521 Working with a Wireless Distribution System WDS Setup with a Single WDS WLAN Service D Figure 162: Deployment Example Deploying the WDS for the above example using a single WDS WLAN Service results in the following structure. The tree will operate as a single WDS entity. It will have a single WDS SSID and a single pre-shared key for WDS links. This tree will have multiple roots. For more information, see Multi-Root WDS Topology on page 527. raft ExtremeWireless V10.41.06 User Guide 522 Working with a Wireless Distribution System ftFigure 163: WDS Setup with a Single WDS WLAN Service WDS Setup with Multiple WDS WLAN Services You can also deploy the same WDS using two WDS WLAN Services. The Two WDS WLAN Services will create two independent WDS trees. Both the trees will operate on separate SSIDs and use separate pre-

shared keys. ExtremeWireless V10.41.06 User Guide 523 Working with a Wireless Distribution System Figure 164: WDS Setup with Multiple WDS WLAN Services ExtremeWireless V10.41.06 User Guide 5524 Working with a Wireless Distribution System Key Features of WDS Some key features of WDS are:

Tree-like Topology on page 525 Radio Channels on page 527 Multi-Root WDS Topology on page 527 Figure 166 on page 527 Link Security on page 528 Tree-like Topology The wireless APs in WDS conguration can be regarded as nodes, and these nodes form a tree-like structure. The tree builds in a top down manner with the Root AP being the tree root, and the Satellite AP being the tree leaves. D The nodes in the tree-structure have a parent-child relationship. The AP that provides the WDS service to the other APs in the downstream direction is a parent. The APs that establish a link with the AP in the upstream direction for WDS service are children. NNote If a parent AP fails or stops to act a parent, the children APs will attempt to discover their backup parents. If the backup parents are not dened, the children APs will be left stranded. The following gure illustrates the parent-child relationship between the nodes in a WDS topology. In Figure 165 on page 526:

Root Wireless AP is the parent of Repeater Wireless AP 1. Repeater Wireless AP 1 is the child of Root Wireless AP. Repeater Wireless AP 1 is the parent of Repeater Wireless AP 2. Repeater Wireless AP 2 is the child of Repeater Wireless AP 1. Repeater Wireless AP 2 is the parent of the following Wireless APs:

raft Satellite Wireless AP 1 Satellite Wireless AP 2 Satellite Wireless AP 3 All the three Satellite APs are the children of Repeater Wireless AP 2. ExtremeWireless V10.41.06 User Guide 525 Working with a Wireless Distribution System aftFigure 165: Parent-Child Relationship Between Wireless APs in WDS Conguration The WDS system enables you to congure the APs role parent, child or both from the wireless controllers interface. If the WDS AP will be serving as a parent and a child in a given topology, its role is congured as both. NNote It is recommended that you limit the number of APs participating in a WDS tree to 8. This limit guarantees decent performance in most typical situations. Note If an AP is congured to serve as a scanner in Radar, it cannot be used in a WDS tree. For more information, see Working with ExtremeWireless Radar on page 563. ExtremeWireless V10.41.06 User Guide 526 Working with a Wireless Distribution System Radio Channels The radio channel on which the child AP operates is determined by the parent AP. An AP may connect to its parent AP and children APs on the same radio, or on different radios. Similarly, an AP can have two children operating on two different radios. NNote When an AP is connecting to its parent AP and children APs on the same radio, it uses the same channel for both the connections. Multi-Root WDS Topology A WDS topology can have multiple Root wireless APs. Figure 166 illustrates the multiple-root WDS topology. D Figure 166: Multiple-root WDS Topology Automatic Discovery of Parent and Backup Parent Wireless APs The children wireless APs, including the Repeater wireless AP and the Satellite wireless APs, scan for their respective parents at a startup. ExtremeWireless V10.41.06 User Guide 527 Working with a Wireless Distribution System You can manually congure a parent and backup parent for the children APs or you can enable the children APs to automatically select the best parent out of all of the available APs. If you choose automatic parent AP selection, a child AP selects a parent AP based on its received signal strength and the number of hops to the root AP. After a parent AP and backup parent AP is selected, the wireless controller will rst try to negotiate a WDS link with the parent wireless controller. If the WDS link negotiation is unsuccessful, the wireless controller will try to negotiate a link with the backup parent. Link Security The WDS link is encrypted using Advance Encryption Standard (AES). NNote The keys for AES are congured prior to deploying the Repeater or Satellite APs. Deploying the WDS System D Planning the WDS Topology operating normally. The WLAN is operating normally. Before you start conguring the WDS wireless APs, you must ensure the following:

The wireless APs that are part of the wired WLAN are connected to the wired network. The wired wireless APs that will serve as the Root AP/Root APs of the proposed WDS topology are raft You may sketch the proposed WLAN topology on er before you start the WDS deployment process. You should clearly identify the following in the sketch:

WDS wireless APs with their names Parent-child relationships between wireless APs Radios that you will choose to link the wireless APs' parents and children This step is of crucial importance and involves connecting the WDS wireless APs to the enterprise network via the Ethernet link. This is done to enable the WDS APs to connect to the wireless AP controller so that they can derive their WDS conguration. Provisioning the WDS APs The WDS APs conguration includes pre-shared key, its role, preferred parent name and the backup parent name. Note The provisioning of WDS APs must be done before they are deployed at the target location. If the APs are not provisioned, they will not work at their target location. ExtremeWireless V10.41.06 User Guide 528 Working with a Wireless Distribution System WDS Deployment Overview The following is the high-level overview of the WDS deployment process:

1 Connecting the WDS wireless APs to the enterprise network via the Ethernet network to enable them to discover and register themselves with the wireless controller. For more information, see Discovery and Registration on page 120. 2 Disconnecting the WDS APs from the enterprise network after they have discovered and registered with the wireless controller. 3 Creating a WDS VNS. 4 Assigning roles, parents and backup parents to the WDS APs. 5 Assigning the Satellite APs radios to the network VNSs. 6 Connecting the WDS APs to the enterprise network via the Ethernet link for provisioning. For more information, see Provisioning the WDS APs on page 528. Connecting the WDS Wireless APs to the Enterprise Network for Discovery and Registration D 7 Disconnecting the WDS APs from the enterprise network and moving them to the target location.DDDNNote During the WDS deployment process, the WDS APs are connected to the enterprise network on two occasions rst to enable them to discover and register with the wireless controller, and then the second time to enable them to obtain the provisioning from the wireless controller. raft Note Before you connect the WDS APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the wireless controller is dened according to your security needs. The Security mode property dictates how the wireless controller behaves when registering new and unknown devices. For more information, see Wireless AP Registration on page 123. If the Security mode is set to Allow only approved APs to connect (this is also known as secure mode), you must manually approve the WDS APs after they are connected to the network for the discovery and registration. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. Connect each WDS wireless AP to the enterprise network to enable it to discover and register itself with the wireless controller. Depending upon the number of Ethernet ports available, you may connect one or more WDS APs at a time, or you may connect all of them together. Once a WDS AP has discovered and registered itself with the wireless controller, disconnect it from the enterprise network. ExtremeWireless V10.41.06 User Guide 529 Working with a Wireless Distribution System Conguring the WDS Wireless APs Through the Wireless Controller NNote You must identify and mark the Preferred Parents, Backup Parents and the Child APs in the proposed WDS topology before starting the conguration process. Conguring the WDS wireless APs involves the following steps:

Creating a WDS WLAN Service. Dening the SSID name and the pre-shared key. Assigning roles, parents and backup parents to the WDS APs. For ease of understanding, the WDS conguration process is explained with an example. The following gure depicts a site with the following features:

An office building, denoted by a rectangular enclosure. Four APs Ardal, Arthur, Athens and Auberon are within the connes of the building, and are connected to the wired network. D The space around the building is the warehouse. The solid arrows point toward Preferred Parents. The dotted arrows point toward Backup Parents. raft Figure 167: WDS Deployment Note With the single WDS VNS, the tree structure for the WDS deployment will be as depicted on the bottom right of the gure above. You can also implement the same deployment using four WDS VNSs, each for a set of APs in the four corners of the building. Each set of APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see Figure 161 on page 521. To congure the WDS wireless APs through the wireless controller:

ExtremeWireless V10.41.06 User Guide 530 Working with a Wireless Distribution System From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a WDS service to edit or click the New button. 3 Enter a name for the service in the Name eld. 4 The SSID eld is automatically lled in with the name, but you can change it if desired. 5 For Service Type, select WDS. raft ExtremeWireless V10.41.06 User Guide 5531 Working with a Wireless Distribution System 6 To save your changes, click Save. The WWLAN conguration window displays again to show additional conguration elds. ft 7 To improve security for WDS links and reduce inadvertent user associations to WDS SSID, check the Suppress SSID check box. (This option is available after you save the WDS type WLAN Service.) When this option is checked:

The SSID name is not included in the SSID IE eld. The child AP inspects the beacon for proprietary information that identies the service. ExtremeWireless V10.41.06 User Guide 532 Working with a Wireless Distribution System 8 In the WDS Pre-shared Key box, type the key. NNote The pre-shared key must be 8 to 63 characters long. The WDS APs use this pre-shared key to establish a WDS link between them. Note Changing the pre-shared key after the WDS is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a WDS WLAN Service on page 536. 9 Assign the roles, preferred parents and backup parents to the AP Radios. Table 106: Wireless APs and Their Roles ExtremeWireless AP Radio b/g Radio a D Note The roles parent, child, and both are assigned to the Radios of the APs. An AP may connect to its parent wireless AP and children APs on the same Radio, or on a different Radio. Similarly, a AP can have two children operating on two different Radios.The Radio on which the child AP operates is determined by the parent AP.If the AP will be serving both as parent and child, you must select both as its role. 10 To congure the WDS with a single WDS VNS, you must assign the roles, preferred parents and backup parents to the APs according to Table 106. Parent Parent Parent Backup Parent Preferred Parent See the note below. raft See the note below. See the note below. See the note below. See the note below. See the note below. See the note below. See the note below. Auberon Auberon Athens Athens Bawdy Arthur Arthur Arthur Parent Parent Parent Parent Parent Ardal Ardal Ardal Child Child Child Child Child Child Child Child Both Both Both Both Bern Ardal Arthur Athens Auberon Bawdy Bern Barend Barett Osborn Oscar Orson Oswald Child Child Child Child Barend Barett Athens Auberon Note Since the Root APs Ardal, Arthur, Athens and Auberon are the highest entities in the tree structure, they do not have parents. Therefore, the Preferred Parent and Backup Parent drop-down lists of the Root APs do not display any AP. You must leave these two elds blank. ExtremeWireless V10.41.06 User Guide 533 Working with a Wireless Distribution System NNote You must rst assign the parent role to the APs that will serve as the parents. Unless this is done, the Parent APs will not be displayed in the Preferred Parent and Backup Parent drop-down lists of other APs. Note The WDS Bridge feature on the user interface relates to WDS Bridge conguration. When you are conguring the WDS Bridge topology, you must select WDS Bridge for Satellite AP that is connected to the wired network. For more information, see Wireless Bridge Conguration on page 520. 11 To assign the roles, preferred parent and backup parent:

a From the radio b/g drop-down list of the Root APs Ardal, Arthur, Athens and Auberon, click c From the radio a and radio b/g drop-down list of other APs, click the roles according to Table 106 d From the Preferred Parent drop-down list of other APs, click the parents according to Table 106 b From the radio a drop-down list of the Root APs Ardal, Arthur, Athens and Auberon, click Parent. D on page 533. Parent. on page 533. Table 106 on page 533. ra e From the Backup Parent drop-down list of other APs, click the backup parents according to Figure 168: Wireless AP Services 12 Click Save to save your changes. ExtremeWireless V10.41.06 User Guide 534 Working with a Wireless Distribution System Assigning the Satellite Wireless APs Radios to the Network WLAN Services You must assign the Satellite wireless APs radios to the network WLAN Services. Note Network WLAN Services are the typical WLAN Services on which the APs service the client devices: Routed, Bridge Traffic Locally at EWC, and Bridge Traffic Locally at AP. For more information, see VNS Global Settings on page 392. To assign the satellite wireless APs radios to the Network WLAN Service:

From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a network WDS service to edit D 4 To save your changes, click Save. 5 Log out from the wireless controller. 3 In the Wireless APs list, select the radios of the Satellite APs Osborn, Oscar, Orson and Oswald. Note If you want the Root AP and the Repeater APs to service the client devices, you must select their radios in addition to the radios of the Satellite APs. raft Connecting the WDS Wireless APs to the Enterprise Network for Provisioning You must connect the WDS wirless APs to the enterprise network once more to enable them to obtain their conguration from the wireless controller. The conguration includes the pre-shared key, the APs role, preferred parent and backup parent. For more information, see Provisioning the WDS APs on page 528. Warning If you skip this step, the WDS wireless APs will not work at their target location. ExtremeWireless V10.41.06 User Guide 535 Working with a Wireless Distribution System Moving the WDS Wireless APs to the Target Location NNote If you change any of the following conguration parameters of a WDS AP, the WDS AP will reject the change: Reassigning the WDS APs role from Child to None, Reassigning the WDS APs role from Both to Parent, and changing the Preferred Parent of the WDS AP. However , the wireless controller will display your changes, as these changes will be saved in the database. To enable the WDS AP to obtain your changes, you must remove it from the WDS location and then connect it to the wireless Controller via the wired network. Note If you change any of the following radio properties of a WDS AP, the WDS AP will reject the change: Disabling the radio on which the WDS link is established, lowereing the radios Tx Power of a radio on which the WDS link is established, or changing the country Changing the Pre-shared Key in a WDS WLAN Service 1 Disconnect the WDS wireless APs from the enterprise network, and move them to the target location. D To change the Pre-shared Key in a WDS WLAN Service:

2 Install the WDS APs at the target location. 3 Connect the APs to a power source. The discovery and registration processes are initiated. 1 Create a new WDS WLAN Service with a new pre-shared key. 2 Assign the RF of the APs from the old WDS to the new WDS WLAN Service. 3 Check the WDS AP Statistics report page to ensure that all the WDS APs have connected to the wireless controller via the new WDS VNS. For more information, see Viewing Statistics for APs on page 627. raft 4 Delete the old WDS WLAN Service. For more information, see Deleting a VNS on page 486. ExtremeWireless V10.41.06 User Guide 536 13 Availability and Session Availability AAvailability Session Availability Viewing SLP Activity Availability D service availability in the event of a controller outage.DNote The Extreme Networks ExtremeWireless Software system provides the availability feature to maintain During the failover event, the maximum number of failover APs the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform. Wireless APs that attempt to connect to the secondary controller during a failover event are assigned to the WLAN (Wireless Local Area Network) Service that is dened in the systems default AP conguration, provided the administrator has not assigned the failover APs to one or more VNSs. If a system default AP conguration does not exist for the controller (and the administrator has not assigned the failover APs to any WLAN Service), the APs will not be assigned to any WLAN Service during the failover. raft A controller will not accept a connection by a foreign AP if the controller believes its availability partner controller is in service. Also, the default AP conguration assignment is only applicable to new APs that failover to the backup controller. Any AP that has previously failed over and is already known to the backup system will receive the conguration already present on that system. For more information, see Conguring the Default Wireless AP Settings on page 134. During the failover event when the AP connects to the secondary controller, the users are disassociated from the AP. Consequently, the users must log on again and be authenticated on the secondary controller before the wireless service is restored. Note If you want the mobile users session to be maintained, you must use the session availability feature that enables the primary controllers APs to failover to the secondary controller fast enough to maintain the session availability (user session). For more information, see Session Availability on page 545. The availability feature provides APs with a list of local active interfaces for the active controller as well as the active interfaces for the backup controller. The list is sorted by top-down priority. ExtremeWireless V10.41.06 User Guide 537 Availability and Session Availability If the connection with an active controller link is lost (poll failure), the AP automatically scans (pings) all addresses in its availability interface list. The AP then connects to the highest priority interface that responds to its probe. Events and Actions in Availability If one of the controllers in a pair fails, the communication between the two controllers stops. This triggers a failover condition and a critical message is displayed in the information log of the secondary controller. After an AP on the failed controller loses its connection, it will try to connect to all enabled interfaces on both controllers without rebooting. If the AP is not successful, it will begin the discovery process. If the AP is not successful in connecting to the controller after ve minutes of attempting, the AP will reboot if there is no Bridge traffic locally at the AP topology associated to it. All mobile users sessions using the failover AP will terminate except those associated to a Bridge traffic locally at the AP and if the Maintain client sessions in event of poll failure option is enabled on the AP Properties tab or AAP Default Settings screen. ExtremeWireless V10.41.06 User Guide 538 Availability and Session Availability When the APs connect to the second controller, they are either assigned to the VNS that is dened in the systems default AP conguration or manually congured by the administrator. The mobile users log on again and are authenticated on the second controller. When the failed controller recovers, each controller in the pair goes back to normal mode. They exchange information including the latest lists of registered APs. The administrator must release the APs manually on the second controller, so that they may re-register with their home controller. Foreign APs can now all be released at once by using the Approve as Foreign button on the AAccess Approval screen to select all foreign APs, and then clicking Release. To support the availability feature during a failover event, you need to do the following:

1 Monitor the critical messages for the failover mode message, in the information log of the remaining controller (in the Logs & Traces section of the Wireless Assistant). 2 After recovery, on the controller that did not fail, select the foreign APs, and then click Release on the AAccess Approval screen. D Availability Prerequisites link is established as a UDP session on port 13911. Before you congure availability, you must do the following:

Choose the primary and secondary controllers. Verify the network accessibility for the UDP connection between the two controllers. The availability Set up a DHCP (Dynamic Host Conguration Protocol) server for AP subnets to support Option 78 for SLP, so that it points to the IP addresses of the physical interfaces on both the controllers. Ensure that the Poll Timeout value on the AAP Properties tab AAdvanced dialog is set to 1.5 to 2 times of Detect link failure value on the CController > Availability screen. For more information, see AP Properties Tab - Advanced Settings on page 164. raft If the Poll Timeout value is more than 1.5 to 2 times of Detect link failure value, the APs failover will be unnecessarily delayed, because the APs will continue polling the primary controller even though the secondary controller is ready to accept them as the failover APs. To achieve ideal availability behavior, set the Poll Timeout value for all APs to 15 seconds, and the Detect link failure on the CController > Availability screen to 10 seconds. The availability wizard allows you to create an availability pair from one of the controllers that will be in the availability pair. When creating the availability pair, you also have the option to synchronize VNS denitions and GuestPortal user accounts between the paired controllers. Conguring Availability Using the Availability Wizard To congure availability using the availability wizard:

From the top menu, click Controller. 1 2 In the left pane, click Administration > Availability. ExtremeWireless V10.41.06 User Guide 539 Availability and Session Availability 3 In the Availability Wizard section, click Start. The Availability Pair Wizard screen displays. D 4 In the Connection Details section, do the following:

establish the availability link. Select Port Select the port and IP address of the primary controller that is to be used to Peer Controller IP Type the IP address of the peer (secondary) controller. User Type the login user name credentials of an account that has full administrative privileges raft NNote Synchronizing the VNS denitions will delete and replace existing VNS denitions on the peer controller. Synchronize System Conguration Select this check box to push the congured Routed and Bridge Traffic Locally at Controller VNS denitions from the primary controller to the peer controller. WDS and 3rd Party AP VNS denitions are ignored and not synchronized. Password Type the login password used with the user ID to login to the peer controller. Enable Fast Failover Select this check box to enable Fast Failover for the availability pair. on the peer controller. 5 In the Synchronize Options section, do the following:

Synchronize Guest Portal Accounts Select this check box to push GuestPortal user accounts to the peer controller. 6 Click Next. ExtremeWireless V10.41.06 User Guide 540 Availability and Session Availability 7 If you are synchronizing topology denitions, the Topology Denitions screen displays. Do the following:

a In the Synchronization Settings section, complete the topology properties that are missing. Any topology that did not already exist on the peer controller will have missing properties on the TTopology Denitions screen. The elds congured are actual parameter values that are congured at the remote Controller with respect to associated topologies chosen for synchronization. Some of these parameters are:

Interface IP address, Netmask, L2 port, VLAN (Virtual LAN) ID, DHCP range, etc. b Click Finish. 8 If you are not synchronizing topology denitions, the availability wizard completes the conguration. 9 Click Close. Conguring Availability Manually The Sync status for any of these elements can also be changed from this tab. This operation marks the desired topologies for synchronization. The two controllers exchange information and the conguration is applied to the remote controller. D On the local controller, the Enable Synchronization of System Conguration becomes selected. This can be double checked by navigating to VNS > Global > Sync Summary. This tab also lists all topologies, roles, WLAN Services and VNSes with their synchronization status (on or off). All these congurable elements have a Synchronize check box (on their main/general conguration tab) that allows for individual control and selection of availability from the main element conguration page. raft 1 On the wireless controller Availability screen, set up the controller in Paired Mode. 2 On the VVNS conguration window, dene a VNS (through topology, WLAN service, role and VNS conguration) on each controller with the same SSID. The IP addresses must be unique. For more information, see Manually Creating a VNS on page 423. A controller VLAN Bridged topology can permit two controllers to share the same subnet. This setup provides support for mobility users in a VLAN Bridged VNS. APs to connect option so that no more APs can register unless they are approved by the administrator. 3 On both controllers, on the AP Registration screen, select the Security Mode Allow only approved 4 On each controller, on the AP conguration Access Approval screen, check the status of the APs When conguring availability manually, you congure each controller separately. and approve any APs that should be connected to that controller. System AP defaults can be used to assign a group of VNSs to the foreign APs:

If the APs are not yet known to the system, the AP will be initially congured according to AP default settings. To ensure better transition in availability, Extreme Networks recommends that the AP default settings match the desired assignment for failover APs. AP assignment to WLAN Services according to the AP default settings can be overwritten by manually modifying the AP assignment. (For example, select and assign each WLAN service that the AP should connect to.) If specic foreign APs have been assigned to a WLAN service, those specic foreign AP assignments are used. ExtremeWireless V10.41.06 User Guide 541 Availability and Session Availability Alternate Method to Setting Up a Wireless AP An alternate method to setting up Wireless APs for Availability mode include:

1 Add each AP manually to each controller. 2 On the AAP Properties screen, click Add Wireless AP. 3 Dene the AP, and then click Add Wireless AP. Manually dened APs will inherit the default AP conguration settings. Caution If two wireless controllers are paired and one has the Allow All option set for AP registration, all APs will register with that wireless controller. Setting the Primary or Secondary Wireless Controllers for Availability To set the primary or secondary controllers for availability:

D 1 2 In the left pane, click Administration > Availability. From the top menu, click Controller. The WWireless Controller Conguration screen displays. raft 3 To enable availability, select the Paired option. 4 Do one of the following:

For a primary controller, in the Wireless IP Address box, type the IP address of the data interface of the secondary controller. This IP address must be on a routable subnet between the two controllers. For a secondary controller, in the Wireless IP Address box, type the IP address of the Management port or data interface of the primary controller. ExtremeWireless V10.41.06 User Guide 542 Availability and Session Availability 5 Set this controller as the primary or secondary connection point:

To set this controller as the primary connection point, select the Current Wireless is primary connect point check box. To set this controller as the secondary connection point, clear the Current Wireless is primary connect point check box. If the Current Wireless is primary connect point check box is selected, the specied controller sends a connection request. If the Current Wireless is primary connect point check box is cleared, the specied controller waits for a connection request. Conrm that one controller has this check box selected, and the second controller has this check box cleared, since improper conguration of this option will result in incorrect network conguration. 6 On both the primary and secondary controllers, type the Detect link failure value. NNote Ensure that the Detect link failure value on both the controllers is identical. D 7 On both the primary and secondary controllers, select the Synchronize GuestPortal Guest Users option to synchronize GuestPortal guest accounts between the controllers. Allow only approved wireless APs to connect If the controller does not recognize the serial 8 From the top menu, click AP. 9 In the left pane, click Global Settings > AP Registration. To set the security mode for the controller, select one of the following options:

Allow all wireless APs to connect If the controller does not recognize the serial number, it sends a default conguration to the AP. Or, if the controller recognizes the serial number, it sends the specic conguration (port and binding key) set for that AP. number, the APs will be in pending mode and the administrator must manually approve them. Or, if the controller recognizes the serial number, it sends the conguration for that AP. raft Note During the initial setup of the network, it is recommended that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of APs registered with the controller. Once the initial setup is complete, it is recommended that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved APs are allowed to connect. For more information, see Conguring Wireless AP Properties on page 156. 10 To save your changes, click Save. Note When two controllers have been paired as described above, each controller's registered APs will appear as foreign on the other controller in the list of available APs when conguring a VNS topology. 11 Verify that availability is congured correctly. Verifying Availability To verify that availability is congured correctly:

ExtremeWireless V10.41.06 User Guide 543 Availability and Session Availability 1 From the top menu of either of the two controllers, click Reports. D 2 From the Reports and Displays menu, click AP Availability. The Wireless Availability Report is displayed. raft 3 Check the statement at the top of the screen. If the statement reads Availability link is up, the availability feature is congured correctly. If the statement reads Availability link is down, check the conguration error logs. For more information on logs, see the Extreme Networks ExtremeWireless Maintenance Guide. ExtremeWireless V10.41.06 User Guide 5544 Availability and Session Availability Session Availability Session availability enables wireless APs to switch over to a standby (secondary) wireless controller fast enough to maintain the mobile users session availability in the following scenarios:

The primary wireless controller fails (see Figure 169). D Figure 169: AP Fail Over When Primary Controller Fails The wireless APs network connectivity to the primary controller fails (see Figure 170). raft Figure 170: AP Fail Over When Connectivity to Primary Fails The secondary controller does not have to detect its link failure with the primary controller for the session availability to kick in. If the AP loses ve consecutive polls to the primary controller either due to the controller outage or connectivity failure, it fails over to the secondary controller fast enough to maintain the user session. ExtremeWireless V10.41.06 User Guide 5545 Availability and Session Availability In session availability mode (Figure 171), the APs connect to both the primary and secondary controllers. While the connectivity to the primary controller is via the active tunnel, the connectivity to the secondary controller is via the backup tunnel. Figure 171: Session Availability Mode raft The following is the traffic ow of the topology illustrated in Figure 171:

The AP establishes the active tunnel to connect to the primary controller. The controller sends the conguration to the AP. This conguration also contains the port information of the secondary controller. On the basis of the secondary controllers port information, the AP connects to the secondary The AP receives the backup conguration and stores it in its memory to use it for failing over to the secondary controller. All this while, the AP is connected to the primary controller via the active tunnel. After the connection is established via the backup tunnel, the secondary controller sends the backup controller via the backup tunnel. conguration to the wireless AP. Session availability applies only to the following topologies:

Bridge Traffic Locally at Controller Bridge Traffic Locally at AP Events and Actions in Session Availability In the event of a primary controller outage, or the network connectivity failure to the primary controller, the wireless AP:

ExtremeWireless V10.41.06 User Guide 5546 Availability and Session Availability Sends a tunnel-active-req request message to the secondary controller. The secondary controller accepts the request by sending the tunnel-activate-response message. The AP applies the backup conguration and starts sending the data. The client devices authentication state is not preserved during failover. When the fast failover takes place, a critical message is displayed in the information log of the secondary controller. NNote In session availability, the maximum number of failover APs that the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform. Access Approval screen. After the APs are released, they establish the active tunnel to their home controller and backup tunnel to the secondary controller. When the failed controller recovers, each controller in the pair goes back to normal mode. They exchange information that includes the latest lists of registered APs. The administrator must release the APs manually on the second controller, so that they may re-register with their home controller. Foreign APs can now all be released at once by using the Approve as Foreign button on the Access Approval screen to select all foreign APs, and then clicking Released. D To support the availability feature during a failover event, administrators need to do the following:

1 Monitor the critical messages for the failover mode message, in the information log of the secondary controller (in the Logs & Traces section of the Wireless Assistant). 2 After recovery, on the secondary controller, select the foreign APs, and then click Release on the raft In session availability, mobile user devices are able to retain their IP address. In addition, the mobile user device does not have to have to re-associate after the failover. These characteristics ensure that the failover is achieved within 5 seconds, which is fast enough to maintain the mobile users session. Session availability is supported when fast failover is enabled and when Synchronize System Conguration is selected. For more information, see Conguring Fast Failover and Enabling Session Availability on page 548. Note In session availability, the fast failover is achieved within 5 seconds only if there is at least one client device (mobile unit) associated to the AP. In the absence of any client device, the AP takes more time to failover since there is no need to preserve the user session. Enabling Session Availability The authentication state is not preserved during fast failover. If a WLAN Service requires authentication, the client device must re-authenticate. However, in such a case, the session availability is not guaranteed because authentication may require additional time during which the user session may be disrupted. Session availability is not supported in a WLAN Service that uses Captive Portal (CP) authentication. Session availability does not support user-specic lters as these lters are not shared between the primary and secondary controller. ExtremeWireless V10.41.06 User Guide 547 Availability and Session Availability Conguring Fast Failover and Enabling Session Availability Before you congure the fast failover feature, ensure the following:

The primary and secondary controllers are properly congured in availability mode. For more information, see Availability on page 537. The pair of controllers in availability mode is formed by one of the following combinations:

C5110 and C5110 C5210 and C5210 C5215 and C5215 C4110 and C4110 C5110 and C4110 V2110 and V2110 (Using the same V2110 prole, two V2110 Small, or two V2110 Medium, or two V2110 Large.) C25 and C25 C35 and C35 D ExtremeWireless software. Both the primary and secondary controllers are running the most recent Extreme Networks Both the primary and secondary controllers have equivalent upstream access to the servers on which they depend. For example, both the controllers must have access to the same RADIUS and DHCP servers. which controller the APs associate with. For example, the fast failover feature will not support the deployment in which the two controllers in availability mode are connected via a WAN link. A network connection exists between the two controllers. The APs are operating in availability mode. The deployment is designed in such a way that the service provided by the APs is not dependent on raft Note The fast failover feature works optimally in fast networks (preferably switched networks). Time on all the network elements (both the controllers in availability pair, APs, DHCP and RADIUS The users (client devices) that use DHCP must obtain their addresses from a DHCP Server that is servers etc.) is synchronized. For more information, see Conguring Network Time on page 89. To congure Fast Failover and enable Session Availability:

external to the controller. Log on to both the primary and secondary controllers. 1 2 From the top menu of the primary controller, click Controller. ExtremeWireless V10.41.06 User Guide 548 Availability and Session Availability 3 In the left pane, click Administration > Availability. D 4 Under Controller Availability Settings, select Paired. 5 Select the Fast Failover check box. 6 Type the appropriate value in the Detect link failure box. raft The Detect link failure eld species the period within which the system detects link failure after the link has failed. For fast failover conguration, this parameter is tied closely to the Poll Timeout parameter on the AAP Properties tab Advanced dialog. The Poll Timeout eld species the period for which the wireless AP waits before re-attempting to establish a link when its polling to the primary controller fails. For the fast failover feature to work within 5 seconds, the Poll Timeout value should be 1.5 to 2 times the Detect link failure value. For example, if you have set the Detect link failure value to 2 seconds, the Poll Timeout value should be set to 3 or 4 seconds. 7 In the Synchronization Option area, select Synchronize System Conguration. This is a global parameter that enables synchronization of VNS conguration components (topology, role, WLAN Service, VNS) on both controllers paired for availability and/or fast failover. For more information about synchronization, see Using the Sync Summary on page 414. 8 Click Save. ExtremeWireless V10.41.06 User Guide 549 Availability and Session Availability 9 Set the APs Poll Timeout value for fast failover. a From the top menu of the primary controller, click AP. b Select the check box for one or more APs. c Click Actions > Multi Edit. The MMulti Edit dialog displays. D d In the Poll Timeout eld, enter the poll timeout value in seconds. e Click Apply. ExtremeWireless V10.41.06 User Guide Note 550 daryyryryryryryryryryryyyyyy The fast failover conguration must be identical on both the primary and secondary controllers. Logs are generated if the conguration is not identical. For more information, see ooorrrrmrrrrrr ation the ExtremeWireless Maintenance Guide. Availability and Session Availability After you have congured fast failover, you can verify session availability to preserve the user session during the failover. Verifying Session Availability To have session availability, you must ensure the following:

The primary and secondary wireless controllers are properly congured in availability mode. For more information, see Availability on page 537. The fast failover feature is properly congured. For more information, see Conguring Fast Failover and Enabling Session Availability on page 548. NNote If you havent congured the fast failover feature, the Enable Session Availability check box is not displayed. Time on all the network elements both the wireless controllers in availability pair, APs, DHCP and RADIUS servers etc. is synchronized. For more information, see Conguring Network Time on page 89. D controller software release. Both the wireless controllers in fast failover mode must be running the most recent wireless If you are using Bridge Traffic Locally at Controller topology, you must select None from the DHCP The Bridge Traffic Locally at Controller must be mapped to the same VLAN on both the primary Option drop-down menu. and secondary wireless controllers. raf To Verify that the session availability feature is congured correctly:

1 From the top menu of either of the two controllers, click Reports. ExtremeWireless V10.41.06 User Guide 551 Availability and Session Availability 2 From the Reports and Displays menu, click Wireless AP Availability. The Wireless Availability Report is displayed. aft 3 Check the statement at the top of the screen. If the statement reads Availability link is up, the availability feature is congured correctly. If the statement reads Availability link is down, check the conguration error in logs. For more information on logs, see the Extreme Networks ExtremeWireless Maintenance Guide. To verify that all elements have been synchronized correctly, navigate to the VNS tab on both the primary and secondary controllers, and conrm that the topologies, WLAN services, roles and desired VNSs are displayed as [synchronized]. Verify Synchronization You can verify this by selecting the appropriate tabs and then inspecting the Synchronized ags or by navigating to VNS > Global > Sync Summary. Conguration synchronization:

VNS conguration related synchronization will be supported with legacy or fast failover availability conguration as long as there is an availability link established. Synchronization for VNS, WLAN Services, Roles, Topologies, and Rate Limit Proles can be enabled/

disabled individually. ExtremeWireless V10.41.06 User Guide 552 Availability and Session Availability VNS, WLAN Service, Role, Topology, and Rate Limit Prole conguration will be dynamically synchronized when synchronization is enabled individually between a pair of controllers. MU session synchronization:

MU session synchronization will be supported only when there is fast failover congured between two controllers. If mobility is disabled, MU session with Bridge Traffic Locally at AP, Bridge Traffic Locally at Controller, and Routed topologies will all be synchronized between a pair of controllers. If mobility is enabled, an MU session with Routed topologies will not be synchronized. Viewing SLP Activity In normal operations, the primary controller registers as an SLP service called ac_manager. The controller service directs the APs to the appropriate controller. During an outage, if the remaining controller is the secondary controller, it registers as the SLP service ru_manager. To view SLP activity:

From the top menu, click AP. 1 2 In the left pane, click Global Settings > AP Registration. D r ExtremeWireless V10.41.06 User Guide 5553 Availability and Session Availability 3 To conrm SLP registration, click View SLP Registration. A screen displays the results of the diagnostic slpdump tool, to conrm SLP registration. ft ExtremeWireless V10.41.06 User Guide 5554 14 Conguring Mobility MMobility Overview Mobility Domain Topologies Conguring a Mobility Domain Mobility Overview The ExtremeWireless system allows up to 12 controllers on a network to discover each other and exchange information about a client session. This technique enables a wireless device user to roam seamlessly between different APs on different controllers. D The solution introduces the concept of a mobility manager; one controller on the network is designated as the mobility manager and all others are designated as mobility agents. The wireless device keeps the IP address, and the service assignments it received from its home controllerthe controller that it rst connected to. The WLAN (Wireless Local Area Network) Service on each controller must have the same SSID and RF privacy parameter settings. You have two options for choosing the mobility manager:

Rely on SLP with DHCP (Dynamic Host Conguration Protocol) Option 78 Dene at the agent, the IP address of the mobility manager. By explicitly dening the IP address, the agent and the mobility manager are able to nd each other directly without using the SLP discovery mechanisms. Direct IP denition is recommended to provide tighter control of the registration steps for multi-domain installations. raft The controller designated as the mobility manager:

Is explicitly identied as the manager for a specic mobility domain. Agents connect to this manager Denes, at the agent, the IP address of the mobility manager, which allows for the bypass of SLP. Uses SLP, if this method is preferred, to register itself with the SLP Directory Agent as Extreme Agents directly nd and attempt to register with the mobility manager. to establish a mobility domain. NetworksNet. Denes the registration behavior for a multi-controller mobility domain set:

Open mode A new agent is automatically able to register itself with the mobility manager and immediately becomes part of the mobility domain. Secure mode The mobility manager does not allow a new agent to automatically register. Instead, the connection with the new agent is placed in a pending state until the administrator approves the new device. Listens for connection attempts from mobility agents. Establishes connections and sends a message to the mobility agent specifying the heartbeat interval, and the mobility manager's IP address if it receives a connection attempt from the agent. ExtremeWireless V10.41.06 User Guide 555 Conguring Mobility Sends regular heartbeat messages containing wireless device session changes and agent changes to the mobility agents and waits for a returned update message. Establishes a connection to an optional backup mobility manager that can be congured to back up the primary mobility manager. The controller designated as a mobility agent does the following:

Uses SLP or a statically congured IP address to locate the mobility manager. Denes at the agent the IP address of the mobility manager, which allows for the bypass of SLP. Agents directly nd and attempt to register with the mobility manager. Attempts to establish a TCP/IP connection with the mobility manager. Connects to an optional backup mobility manager that can be congured to back up the primary mobility manager. Sends updates, in response to the heartbeat message, on the wireless device users and the data tunnels to the mobility manager. D If a controller congured as the mobility manager is lost, with a backup mobility manager congured, the following occurs:

If enabled, the controller establishes a connection to the optional backup mobility manager. When a failure occurs, the backup manager becomes the primary manager and control tunnels are re-

negotiated. The data tunnels are not affected. When the primary manager comes back online, the backup manager detects the higher priority manager and switches back to agent (passive) mode. If a controller congured as the mobility manager is lost, without a backup mobility manager, the following occurs:

Agent to agent connections remain active. The mobility agents continue to operate based on the mobility information last coordinated before the manager link was lost. The mobility location list remains relatively unaffected by the controller failure. Only entries associated with the failed controller are cleared from the registration list, and users that have roamed from the manager controller to other agents are terminated and required to re-register as local users with the agent where they are currently located. raft The data link between active controllers remains active after the loss of a mobility manager. Mobility agents continue to use the last set of mobility location lists to service known users. Existing users remain in the mobility scenario, and if the users are known to the mobility domain, New users become local at attaching controller. Roaming to another controller resets session. they continue to be able to roam between connected controllers. The mobility network that includes all the wireless controllers and the APs is called the Mobility Domain. NNote The mobility feature is not backward compatible. This means that all the controllers in the mobility domain must be running the most recent controller software release. Mobility Domain Topologies You can congure a mobility domain in the following scenarios:

ExtremeWireless V10.41.06 User Guide 556 Conguring Mobility Mobility domain without availability Mobility domain with availability Mobility domain with session availability NNote When conguring a mobility domain with availability or session availability, synchronize time on all the wireless controllers that are part of your mobility domain. For more information, see Conguring Network Time on page 89. D Figure 172: Mobility Domain with Fast Failover and Session Availability Features The users home session is with Controller1. When the user roams from wireless AP 1 to wireless AP 2, he establishes his home session with raft Note The mobility managers heart beat time is congurable. If you are conguring a mobility domain with session availability, you should congure the heart beat time as one second to enable the mobility manager to update its tables quickly. When the user roams, AP 1 receives a notication that the user has roamed away following which it marks the user session as inactive. Consequently, no statistics are sent to the Controller 1 for that user. sends updates that the user has a new home on Controller 2. Upon receiving the updates, the mobility manager updates its own tables. In response to the heart beat message from the mobility manager (Controller 3), the Controller 2 Controller2. If a failover takes place, and the user is still associated with AP 1:

AP1 fails over, and establishes an active session with Controller 2. In response to the heart beat message from the mobility manager (Controller 3), the Controller 2 sends updates to the mobility manager on the failover AP and its user. If a failover takes place, and the user has roamed to wireless AP 2:

As part of roaming, the users home session moves from Controller 1 to Controlle r2. AP1 establishes active session with Controller 2. AP 2 is not impacted by the failover. ExtremeWireless V10.41.06 User Guide 557 Conguring Mobility Conguring a Mobility Domain When conguring a mobility domain with availability or session availability, synchronize time on all the wireless controllers that are part of your mobility domain. For more information, see Conguring Network Time on page 89. Designating a Mobility Manager To designate a mobility manager:

From the top menu, click Controller. 1 2 In the left pane, click Services > Mobility Manager. 3 To enable mobility for this controller, select the Mobility check box. The controller mobility options are displayed. D 4 Select the This Wireless Controller is a Mobility Manager option. The mobility manager options are displayed. 5 In the Port drop-down list, select the interface on the controller to be used for the mobility manager process. Ensure that the selected interfaces IP address is routable on the network. ExtremeWireless V10.41.06 User Guide 5558 Conguring Mobility 6 In the Heartbeat eld, type the time interval (in seconds) at which the mobility manager sends a Heartbeat message to a mobility agent. NNote When the mobility domain is congured for fast failover and session availability, congure the mobility managers heart beat time as one second. 7 In the SLP Registration drop-down list, select whether to enable or disable SLP registration. 8 In the Permission list, select the agent IP addresses you want to approve that are in pending state, by selecting the agent and clicking Approve. New agents are only added to the domain if they are approved. To add a controller to the mobility domain, type the agent IP address in the box, and then click Add. This can only be done from the primary manager. To assign a backup manager, select a controller from the Permission List, and click Backup mgr. To delete a controller, click the controller in the list, and then click Delete. This can only be done from the primary manager. D 9 Select the Security Mode option:

10 Click Save. to the mobility manager. Allow all mobility agents to connect All mobility agents can connect to the mobility manager. Allow only approved mobility agents to connect Only approved mobility agents can connect Note If you set up one wireless controller on the network as a mobility manager, all other controllers must be set up as mobility agents. raft From the top menu, click Controller. 1 2 In the left pane, click Services > Mobility Manager. 3 Select the Mobility check box. The controller mobility options are displayed. To designate a mobility agent:

Designating a Mobility Agent ExtremeWireless V10.41.06 User Guide 559 Conguring Mobility 4 Select the This Wireless Controller is a Mobility Agent option. The mobility agent options are displayed. D process. Ensure that the port selected is routable on the network. 6 From the Discovery Method drop-down list, select one of the following:

5 From the Port drop-down list, select the port on the controller to be used for the mobility agent 7 In the Mobility Manager Address box, type the IP address for the designated mobility manager. The Backup Manager Address box displays the IP address of the backup controller. SLPD Service Location Protocol Daemon, a background process acting as an SLP server, provides the functionality of the Directory Agent and Service Agent for SLP. Use SLP to locate the area mobility manager controller. Static Conguration You must provide the IP address of the mobility manager manually. Dening a static conguration for a mobility manager IP address bypasses SLP discovery. raft For information about viewing mobility manager displays, see Viewing Mobility Reports on page 650. 8 Click Save. ExtremeWireless V10.41.06 User Guide 5560 15 Working with Third-party APs DDening Authentication by Captive Portal for the Third-party AP WLAN Service Dening the Third-party APs List Dening Policy Rules for the Third-party APs Service, click the Auth & Acct tab. External Authentication on page 349. 1 On the WWLAN conguration window for the third-party WLAN (Wireless Local Area Network) Dening Authentication by Captive Portal for the Third-party AP WLAN Service D 802.1x Authentication is not supported directly by the wireless controller. However, this type of authentication can be supported by the actual third-party AP. All other options for authentication are supported at the controller. 2 In the Authentication Mode drop-down list, click Internal or External, and then click Congure. 3 Dene the Captive Portal conguration as described in Conguring Captive Portal for Internal or raft In the WLAN Services panel, select the third-party WLAN Service. 1 2 In the IP Address eld, type the IP address of a third-party AP. 3 In the Wired MAC Address eld, type the MAC address of the AP. 4 Click Add to add the AP to the list. 5 Repeat for all third-party APs to be assigned to this WLAN Service. Dening Policy Rules for the Third-party APs Dening the Third-party APs List 1 Because the third-party APs are mapped to a physical topology, you must dene the Exception lters on the physical topology, using the Exception Filters tab. For more information, see Exception Filtering on page 278. 2 Dene policy rules that allow access to other services and protocols on the network such as HTTP, FTP, and SNMP (Simple Network Management Protocol). 3 On the Multicast Filters tab, select Enable Multicast Support and congure the multicast groups whose traffic is allowed to be forwarded to and from the VNS using this topology. For more information, see Multicast Filtering on page 281. In addition, modify the following functions on the third-party AP:

ExtremeWireless V10.41.06 User Guide 561 Working with Third-party APs Disable the AP's DHCP (Dynamic Host Conguration Protocol) server, so that the IP address assignment for any wireless device on the AP is from the DHCP server at the controller with VNS information. Disable the third-party AP's layer-3 IP routing capability and set the access point to work as a layer-2 bridge. The following are the differences between third-party APs and APs on the Extreme Networks ExtremeWireless system:

A third-party AP exchanges data with the controller's data port using standard IP over Ethernet protocol. The third-party access points do not support the tunnelling protocol for encapsulation. For third-party APs, the VNS is mapped to the physical data port and this is the default gateway for mobile units supported by the third-party access points. A controller cannot directly control or manage the conguration of a third-party access point. Third-party APs are required to broadcast an SSID unique to their segment. This SSID cannot be Roaming from third-party APs to wireless APs and vice versa is not supported. used by any other VNS. D raft ExtremeWireless V10.41.06 User Guide 562 16 Working with ExtremeWireless Radar RRadar Overview Radar Components Radar License Requirements Enabling the Analysis Engine Radar Scan Proles AirDefense Prole Viewing Existing Radar Proles Adding a New Radar Prole Conguring an In-Service Scan Prole Conguring a Guardian Scan Prole Assigning an AP to a Prole Viewing the List of Assigned APs Maintaining the Radar List of APs Working with Radar Reports D raft Radar is a set of advanced, intelligent features for managing the wireless environment. Radar includes advanced features for:

Device location tracking Wireless-Intrusion-Detection and Wireless-Intrusion-Prevention (WIDS-WIPS) Advanced load balancing capability Radar provides a basic solution for discovering unauthorized devices within the wireless coverage area. Radar performs basic RF network analysis to identify unmanaged APs and personal ad-hoc networks. The Radar feature set includes: intrusion detection, prevention and interference detection. All APs can provide WIDS and traffic forwarding functionality, simultaneously and, if congured to do so, will apply countermeasures to detected wireless intrusions. Radar Overview All APs (except 3705) can be placed in Guardian mode. In this mode, the AP dedicates both radios for intrusion detection and prevention functions. Guardians are capable of detecting and mitigating attacks on wireless channels that are not being used for traffic forwarding by the authorized network. When controllers are congured in an availability pair, the Radar feature operates in High Availability mode, allowing Radar to retain its conguration, historical, and runtime data in the case of an availability pair controller failure. In High Availability mode, the conguration and runtime on both controllers is synchronized. ExtremeWireless V10.41.06 User Guide 563 Working with ExtremeWireless Radar Radar Components Figure 173 illustrates the major components of Radar. Analysis Engine Overview D Figure 173: Radar System Components Radar requires that one controller host the Analysis Engine, and a data collector application, is installed on each controller. The data collector receives and manages the RF scan messages sent by each AP. The data collector forwards to the Analysis Engine lists of all connected wireless APs, third-party APs and RF scan information collected from participating APs. raft The Analysis Engine processes the scan data from the data collectors through algorithms that make decisions about whether any of the detected APs or clients are threats or are running in an unsecure environment (for example, in ad-hoc mode). APs must be part of a Radar scan prole to participate in WIDS-WIPS activity. A scan prole is a collection of WIDS-WIPS conguration options that can be assigned to appropriate APs. The actual conguration options depend on whether the prole is an In-Service or Guardian scan prole. The Analysis Engine relies on a database of connected devices on the Extreme Networks ExtremeWireless system. The database is basically a compiled list of all APs and clients connected to the controller. The Analysis Engine compares the data from the data collector with the database of known devices. For more information on enabling the Analysis Engine, see Enabling the Analysis Engine on page 565. Radar Functionality on the Controller The Analysis Engine can run on a standalone controller or on a High Availability pair. The controller's Analysis Engine works only with local data collectors and with data collectors of the controller's availability partner. ExtremeWireless V10.41.06 User Guide 5564 Working with ExtremeWireless Radar Radar Functionality on the Wireless AP An AP can be assigned to only one scan prole and only needs to be added to a prole if it is to be used for scanning. APs run a radio frequency (RF) scanning task. The APs scan for threats and perform countermeasures while simultaneously providing full traffic forwarding services including the application of role. NNote When you enable countermeasures, the countermeasures apply to threats on channels that receive forwarded traffic. Radar License Requirements All APs, except 3705, support Guardian mode prole. In Guardian mode, the APs rapidly sweep across multiple channels. This allows for threat detection on channels that are being used by APs that are not authorized to provide service. However, the more channels the AP has to defend concurrently, the less thoroughly it can defend any one channel. The AP will only defend a channel if an actual threat is detected on that channel, and if the Analysis Engine on the controller is able to distribute responsibility for dealing with concurrent active threats among multiple APs. D Note If an AP is part of a WDS/Mesh link, you cannot congure it to act as a Guardian AP or In Service prole AP in Radar. raft Radar functionality is controlled by capacity licenses installed on the controller and activated as an option key. For more information on the Option Key, see Applying Product License Keys on page 47. Any AP assigned to an In-Service scan prole counts as 1 against the licensed Radar capacity. The base capacity for all controllers is 2, and any capacity increment can be installed on any controller. The maximum number of APs that can be licensed for Radar is twice the platform limit for local APs. Once the maximum number of APs is reached, no new licenses can be installed. The radar capacity is twice the platform system AP limit for Cloud Provider and Subscription license types. AP Limitations Enabling the Analysis Engine Before using WIPS (Wireless Intrusion Prevention System), you must enable and dene the Analysis and Data Collector Engines. If using In-Service scan proles, only the controller itself and its availability pair report to the Analysis Engine. For more information, see Conguring an In-Service Scan Prole on page 574. To enable the Analysis Engine:

ExtremeWireless V10.41.06 User Guide 565 Working with ExtremeWireless Radar 1 From the top menu, click WIPS. The Conguration > Engine Settings screen displays. 2 If not already selected, select Security Analysis Engine and click Save. ft Figure 174: Radar Engine Settings Radar Scan Proles Radar scan proles provide the ability to organize scans for rogue activity based on a specic set of parameters such as radio assignments and desired channels. APs can be selected from a list of Assigned APs or a new AP can be added to the scan prole. An AP can only belong to one scan prole. Radar provides In-Service and Guardian scan proles. Any AP can use the In-Service scan prole. All APs, except 3705, can use the Guardian scan prole. ExtremeWireless V10.41.06 User Guide 5566 Working with ExtremeWireless Radar The AP39xx support the AirDefense prole. This prole integrates the AP39xx with the AirDefense Services Platform, offering an alternative to the Guardian Scan Prole. RRelated Links Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 Conguring an AirDefense Prole on page 568 In-Service Scan Proles Related Links Guardian Scan Proles In-Service scan proles work with any AP type and include the following:

A set of countermeasure that lists possible prevention options to counter specic types of threats. Support for automatic blacklisting, which automatically removes network access from devices performing certain types of wireless attacks. The administrator can congure the length of time that a device remains on the blacklist. D In-Service Scan Prole Prevention Settings on page 575 Blacklisted Clients on page 598 raft A set of countermeasure that lists possible prevention options to counter specic types of threats. For more information, see In-Service Scan Prole Prevention Settings on page 575. Support for automatic blacklisting which allows the administrator to list which MAC addresses should be allowed or denied on the network. For more information, see Blacklisted Clients on page 598. Guardian scan proles work with all AP types (except AP3705) and include the following:

An AP operating in Guardian mode does not bridge traffic and instead devotes all of the APs An AP assigned to a Guardian scan prole stops providing any services (WLAN (Wireless Local Area An AP is added to a Guardian scan mode in its entirety. There is no option to dedicate one radio to A list of all possible channels that the Gardian AP could scan. Each channel has a check box which when checked enables scanning by any AP in the group. resources to threat detection and countermeasures. Network) service, load groups, site) immediately. scanning and the other to forwarding. Addresses added to the blacklist manually are there until they are manually removed. If blacklisting clients is enabled, you can set the maximum amount of time a device can be blacklisted. Related Links AirDefense Prole on page 567 AirDefense Prole The AP integrates with the AirDefense Service Platform (ADSP), offering an additional prole option that allows the AP to function as an AirDefense sensor or to act as a sensor and retain the ability to ExtremeWireless V10.41.06 User Guide 567 Working with ExtremeWireless Radar forward traffic. When the AP is congured with a AirDefense dedicated sensor prole, the functionality of the AP is controlled by the ADSP server. When the AP is congured as a AirDefense Radio Share prole, it continues to forward traffic while sending packets to an ADSP server. In dedicated sensor mode, the AP operates independently from the controller while the controller continues to see the AP and display the AP Role as a dedicated AirDefense sensor. In its role as a dedicated sensor, the AP does not report statistics to the controller. However, the WASSP-tunnel is maintained to allow future reconguration. In the Radio Share mode, both radios on the AP operate as both a sensor and a traffic forwarder. The controller conguration indicates whether the radios gather all packet traffic or packet traffic for only APs registered with ADSP. With Radio Share, you also have the option to scan neighboring channels in addition to the operating channel. RRelated Links AP39xx supports AirDefense proles. Conguring an AirDefense Prole on page 568 D Conguring an AirDefense Prole Congure an AirDefense prole that allows the AP to function as an AirDefense dedicated sensor or as a Radio Share prole. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Select AirDefense Proles. 4 From the AAirDefense Proles screen, click New. 5 Select the Prole type. Valid values are:

raft The radios are both ADSP sensors and they forward traffic to the controller. The radio is a dedicated ADSP sensor, controlled by the ADSP server. Dedicated Radio Share ExtremeWireless V10.41.06 User Guide 568 Working with ExtremeWireless Radar aftFigure 175: AirDefense Prole Dedicated Conguration ExtremeWireless V10.41.06 User Guide 5569 Working with ExtremeWireless Radar D Figure 176: AirDefense Prole Radio Share Conguration 6 On the CConguration tab congure the following parameters:

Table 107: AirDefense Prole Conguration Settings Field Description raft The IP address of the AirDefense servers. Provide the FQDN or IPv4 string, maximum 255 characters. Scan prole name Name AirDefense Servers Radio Share ExtremeWireless V10.41.06 User Guide 570 Working with ExtremeWireless Radar Table 107: AirDefense Prole Conguration Settings (continued) FField Description Off Channel Scanning Radio Mode Enable Off Channel Scanning. Allow the radio to perform periodic scanning on neighboring channels in addition to the operating channel. Note: Providing service on the operating channel has priority over scanning neighboring channels. Radio mode for packet transfer. Valid values are:

Off. When the radio mode is set to Off, the Radio Share capability is disabled, regardless of the selected Prole type. Inline. AP reports to the ADSP server only its own traffic and multicast / broadcast traffic such as beacons and probe requests. Inline mode has minimal impact on AP performance, because the AP reports to the ADSP server only traffic that it processes. D Promiscuous. AP receives all packets seen on its operating Note: Set AP to Promiscuous mode when AP is required to perform Termination. channel and forwards them to the ADSP server. Promiscuous mode loads the AP resources, because the AP processes traffic intended for all neighboring APs. In high-density, wireless deployments, use dedicated sensors instead of Radio Share in Promiscuous mode. raft Related Links AirDefense Prole on page 567 Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 Viewing Existing Radar Proles From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. The RRadar Proles screen displays. ExtremeWireless V10.41.06 User Guide 571 Working with ExtremeWireless Radar D Figure 177: In-Service Proles Table 108: Scan Proles - Fields and Buttons FField/Button Description raft Indicates whether the prole enables security scanning on APs assigned to the prole. Indicates that the scan prole does not enable security scanning. Indicates that the scan prole enables security scanning. The name of the scan prole. In-Service or Guardian. Name Prole Security Scan ExtremeWireless V10.41.06 User Guide 572 Working with ExtremeWireless Radar Table 108: Scan Proles - Fields and Buttons (continued) FField/Button Description Interference Scan Interference classication compares patterns in RF interference to known interference patterns to help identify the source of the interference. Indicates that the interference scan classication is enabled on specic APs assigned to the prole. New Delete Selected Status D Indicates that the interference scan classication is not enabled on specic APs assigned to the prole. Click to delete the selected scan prole. Enabled: Indicates that the scan prole is enabled (for example, whether the APs assigned to the prole are scanning in accordance with the prole). Scan proles are Enabled if either security scanning or interference scanning is enabled. Click to create a new scan prole (see Adding a New Radar Prole on page 573). Disabled: Indicates that the scan prole is disabled. A disabled prole means the prole is dened but any APs assigned to the prole are not performing scans. raft Adding a New Radar Prole From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Select Radar Proles. 4 From the RRadar Proles screen, click New. ExtremeWireless V10.41.06 User Guide 573 Working with ExtremeWireless Radar 5 In the AAdd Radar Prole dialog, select the prole type:

Guardian In-Service ft Figure 178: Add Radar Prole For information about conguring the prole:

Conguring an AirDefense Prole on page 568 Conguring a Guardian Scan Prole on page 577. Conguring an In-Service Scan Prole on page 574. Conguring an In-Service Scan Prole Congure the following for an In-Service scan prole:

Detection Settings Prevention Settings ExtremeWireless V10.41.06 User Guide 574 Working with ExtremeWireless Radar List of Assigned APs RRelated Links Assigning an AP to a Prole on page 581 Viewing the List of Assigned APs on page 581 In-Service Scan Prole Detection Settings Note Once an In-Service scan prole is created, the DDetection tab appears. Select the DDetection tab. D raft From the Core pane, type a unique name for the scan prole and congure the following detection options:

Scan for security threats. For more information, see Security Threats on page 594. Rogue AP detection. Select this option to detect rogue APs serving open SSIDs (for example an AP Listener port: Enter the UDP port for rogue AP detection. Classify sources of interference. Interference classication compares patterns in RF interference to attached to an Ethernet wall jack and the AP is running an open SSID). If a rogue AP is detected, countermeasures can be optionally applied to prevent any station from using this rogue AP. Figure 179: Detection Settings known interference patterns to help identify the source of the interference. All APs based on the AP371x, AP38xx, and AP39xx architecture are capable of performing interference classication. Click Save. In-Service Scan Prole Prevention Settings Radar provides multiple countermeasures which can be enabled in an In-Service scan prole. The level of prevention for the prole is dependent on the countermeasures selected. For more information on the Radar threat categories for which countermeasures can be applied, see Radar Scan Proles on page 566. ExtremeWireless V10.41.06 User Guide 575 Working with ExtremeWireless Radar When Radar WIDS-WIPS is enabled, all detected threats are reported when they start and when they stop. The reports are available in the controller's event logs and can be streamed off the controller using SNMP (Simple Network Management Protocol) and syslog. These event reports are always generated regardless of which other countermeasures are enabled. For more information on these reports, see Working with Radar Reports on page 593. Related Links Selecting Countermeasures on page 576 Selecting Countermeasures Countermeasures mitigate the impact of a security threat:

Sending standard 802.11 deauthentication frames to prevent stations from associating to threat devices. To select a specic countermeasure:

Rate limiting ooded frames. This can prevent oods from propagating through the AP to the wired Blacklisting attacking devices to prevent them from gaining access to the network. network. D Countermeasures are enabled on a per-scan-prole basis. Some scan proles can have countermeasures enabled while others cannot. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. 4 Select an In-Service scan prole and click the Prevention tab. raf Figure 180: Prevention Settings ExtremeWireless V10.41.06 User Guide 576 Working with ExtremeWireless Radar Table 109: Prevention Tab - Fields and Buttons FField/Button Description Countermeasures Prevent authorized stations from roaming to external honeypot APs Prevent authorized stations from roaming to friendly APs Prevent any station from using an internal honeypot AP An external honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising a popular SSID, such as an SSID advertised by a coffee shop or an airport Friendly APs are APs that are not part of the authorized wireless network, but they operate in the vicinity of the authorized wireless network. An internal honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising an SSID belonging to the authorized network. Prevent any station from using an ad hoc mode device Remove network access from clients originating DoS and password-cracking attacks Prevent any station from using a rogue AP D Prevent any station from using a spoofed AP Drop frames in a controlled fashion during a ood attack A rogue AP is an unauthorized AP connected to the authorized wired network. A spoofed AP is an AP that is not part of the authorized network is advertising a BSSID (MAC address) that belongs to an authorized AP on the authorized network. Deauthentication messages are used to prevent devices from using an ad hoc mode device. Prevents some types of Denial of Service (DoS) attack from affecting the authorized network instead of just the target AP. For example, rate limiting the ooded frames. raft Prevents propagation of the DoS attack from the AP to the authorized network. Many types of DoS attack involve deluging an AP with a large volume of messages of one or two specic types. When this option is enabled, the AP will apply rate limits to the specic type of frame that is being deluged. The selected clients for this countermeasure are denied access to the network for the amount of time that is specied in " Remove network access from violating clients for a period of time."

Click to create a new scan prole. For more information, see Adding a New Radar Prole on page 573. Click to delete the selected scan prole. Enter a numeric value in seconds. Click to save changes. Remove network access from violating clients for a period of time New Delete Save Conguring a Guardian Scan Prole Congure the following for a Guardian scan prole:

Detection Settings Prevention Settings List of Assigned APs Related Links ExtremeWireless V10.41.06 User Guide 577 Working with ExtremeWireless Radar Guardian Scan Prole Detection Settings on page 578 Guardian Scan Prole Prevention Settings on page 579 Selecting Countermeasures on page 579 Assigning an AP to a Prole on page 581 Viewing the List of Assigned APs on page 581 Guardian Scan Prole Detection Settings NNote Once a new Guardian Scan Prole is created, the Detection tab appears. D raft Figure 181: Detection Settings 1 In the Name box, type a unique name for this scan prole. Select from the following detection options:

Scan for security threats. For more information, see Security Threats on page 594. Classify sources of interference. Interference classication compares patterns in RF interference to known interference patterns to help identify the source of the interference. All APs based on the AP371x, AP38xx, and AP39xx architecture are capable of performing interference classication. 2 Under Channels to Monitor:

Click the 2.4 GHz tab and select channels to be monitored within this band for the scan prole. ExtremeWireless V10.41.06 User Guide 578 Working with ExtremeWireless Radar Click the 5 GHz tab and select channels to be monitored within this band for the scan prole. Guardian Scan Prole Prevention Settings Radar provides multiple countermeasures which can be enabled in a Guardian scan prole. The level of prevention for the prole is dependent on the countermeasures selected. For more information on the Radar threat categories for which countermeasures can be applied, see Radar Scan Proles on page 566. When Radar WIDS-WIPS is enabled, all detected threats are reported when they start and when they stop. The reports are available in the controller's event logs and can be streamed off the controller using SNMP and syslog. These event reports are always generated regardless of which other countermeasures are enabled. For more information on these reports, see Working with Radar Reports on page 593. Selecting Countermeasures D Countermeasures mitigate the impact of a security threat. Three main countermeasures are used by the Guardian APs:

Sending standard 802.11 deauthentication frames to prevent stations from associating to threat Rate limiting ooded frames. This can prevent oods from propagating through the AP to the wired devices. network. Blacklisting attacking devices to prevent them from gaining access to the wireless network. raft From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. Countermeasures are enabled on a per-scan-prole basis. Some scan proles can have countermeasures enabled while others cannot. To select a specic countermeasure:

ExtremeWireless V10.41.06 User Guide 579 Working with ExtremeWireless Radar 4 Select a Guardian scan prole and click the Prevention tab. D Figure 182: Prevention Settings 5 Select desired prevention method. 6 Select number of channels per radio to defend concurrently. Number of defended channels can be raft An external honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising a popular SSID, such as an SSID advertised by a coffee shop or an airport Description Table 110: Prevention Tab - Fields and Buttons FField/Button Countermeasures Prevent authorized stations from roaming to external honeypot APs between 1 and 4. Prevent authorized stations from roaming to friendly APs Prevent any station from using an internal honeypot AP Prevent any station from using a rogue AP Prevent any station from using a spoofed AP Friendly APs are APs that are not part of the authorized wireless network, but they operate in the vicinity of the authorized wireless network. An internal honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising an SSID belonging to the authorized wireless network. A rogue AP is an unauthorized AP connected to the authorized wired or wireless network. A spoofed AP s an AP that is not part of the authorized network is advertising a BSSID (MAC address) that belongs to an authorized AP on the authorized network. ExtremeWireless V10.41.06 User Guide 580 Working with ExtremeWireless Radar Table 110: Prevention Tab - Fields and Buttons (continued) FField/Button Description Drop frames in a controlled fashion during a ood attack Prevents some types of Denial of Service (DoS) attack from affecting the authorized network instead of just the target AP. For example, rate limiting the ooded frames. Prevent any station from using an ad hoc mode device Deauthentication messages are used to prevent devices from using an ad hoc mode device. Remove network access from clients originating DoS and password-cracking attacks Prevents propagation of the DoS attack from the AP to the authorized network. Many types of DoS attack involve deluging an AP with a large volume of messages of one or two specic types. When this option is enabled, the AP will apply rate limits to the specic type of frame that is being deluged. The selected clients for this countermeasure are denied access to the network for the amount of time that is specied in " Remove network access from violating clients for a period of time."

New Delete Save D Remove network access from violating clients for a period of time Defense Options Maximum number of channels per radio to defend concurrently Enter a numeric value in seconds. Click the slider to select the number of channels desired. Click to create a new Guardian scan prole. For more information, click Adding a New Radar Prole on page 573. raft Click to delete the selected Guardian scan prole. Click to save changes. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles or AirDefense Proles. 4 Select a prole, and click the AAssigned APs tab. 5 Select an AP from the list of Assigned APs and click Save. Assigning an AP to a Prole To assign an AP to a scan prole:

Related Links Viewing the List of Assigned APs on page 581 Viewing the List of Assigned APs The list of Assigned APs is a list of all APs reported by the data collectors. Assigned APs automatically appear once a prole is created. To view the list of APs assigned to a prole, click the AAssigned APs tab. ExtremeWireless V10.41.06 User Guide 581 Working with ExtremeWireless Radar Table 111: Assigned APs Tab - Fields and Buttons FField/Button Description Wireless APs Identies the wireless APs assigned to the prole. May include the AP name or serial number. Controller (Radar Proles) Identies the controller associated with the wireless AP. An IP address indicates a remote data collector. Local Controller indicates a controller local to the AP. Applies to Radar Proles only. Assignment (Guardian AP) Indicates if the Guardian AP is assigned to a Site, Load Group, or WLAN Service. Search Select All Deselect All To search for a prole in the list, enter the full name of a scan prole and press Enter. Select all APs in the list. Clear the selection of all APs in the list. Related Links Save Click to save changes. D The list of Assigned APs are APs that are available to any prole. However, an AP can only be assigned to one prole. Assigning an AP to a Prole on page 581 Conguring an AirDefense Prole on page 568 Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 raft Wireless Intrusion Prevention System (WIPS) provides a list of APs organized in categories based on the scan results of the Analysis Engine. WIPS will try to assign each discovered AP to one of these categories. If it can't nd a specic category for the AP, it will assign it to the Uncategorized APs category. Uncategorized APs require manual classication. To get the best protection from WIPS, classify uncategorized APs as soon as possible. You can manually assign APs from one category to another using WIPS. For more information, see Reclassifying APs on page 592. Maintaining the Radar List of APs AP Categories APs belong to one of the following categories when they are added to the Analysis Engine database:

Scanning APs - This is the subset of authorized APs congured to provide WIDS-WIPS services. Friendly APs - These are APs that are not part of the authorized network, but they operate in the vicinity of the authorized network. Friendly APs are operated by a neighboring enterprise for their own use. Authorized APs can prevent authorized devices from using friendly APs. Uncategorized APs - APs discovered by scanning APs and which do not fall into any other category. Uncategorized APs require manual classication. To get the best protection from WIPS, classify uncategorized APs as soon as possible. ExtremeWireless V10.41.06 User Guide 582 Working with ExtremeWireless Radar Authorized APs - APs that can be used by devices authorized to use the network. APs can be added to the list automatically (for example, if the APs are active on the current host or the hosts availability partner) or manually. Prohibited APs - These are APs that have been manually added to the Radar database so that the Radar WIDS-WIPS system will detect them and, if so congured, protect against them. An example of manually prohibited APs might be APs that were stolen from the authorized network and now could be used to generate a security breach. Viewing the List of Scanning APs From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Maintenance. The SScanning APs screen displays. D Figure 183: Scanning APs ExtremeWireless V10.41.06 User Guide 583 Working with ExtremeWireless Radar Table 112: Scanning APs - Fields and Buttons FField/Button Description Wireless Controllers Displays the name of wireless controllers reporting to the Analysis Engine on this host. Can be the IP address of another controller or

"Local Controller" which represents the controller hosting this instance of the Analysis Engine. Wireless APs Name - Name of the Access Point Serial - Serial number of the Access Point Prole Name - Describes the scan prole. The shield icon indicates a Guardian scan prole. Licensed - A check mark indicates that the AP is licensed. Viewing the List of Friendly APs D The Friendly APs page allows you to manage the list of APs that are considered to be operating in the vicinity legitimately but to which authorized devices should not roam. A Friendly AP has to be added manually to the list, or manually reclassify an Uncategorized AP as Friendly. To view a list of Friendly APs:

From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. raft ExtremeWireless V10.41.06 User Guide 584 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Friendly APs raft Unique identier attached to the header of packets sent over a wireless local-area network (WLAN) from the Friendly AP APs categorized as Friendly APs can be reclassied as authorized or threats, For more information, see Reclassifying APs on page 592. Species a brief description for the Friendly AP Species the MAC address for the Friendly AP Lists the AP manufacturer MAC Address SSID Description Manufacturer Categorize Selected APs as Table 113: Friendly APs Screen - Fields and Buttons FField/Button Description New Delete Selected Click to create a new Friendly AP. For more information, see Adding Friendly APs on page 585. Select an AP from the list of Friendly APs, and click to delete them from the list. Adding Friendly APs To add a Friendly AP:

1 From the top menu, click WIPS. ExtremeWireless V10.41.06 User Guide 585 Working with ExtremeWireless Radar 2 If not already selected, select Security Analysis Engine and click Save. 3 Click Maintenance > Friendly APs. 4 Click New. Modifying Friendly APs 6 Click Save. The new access point is displayed in the Friendly APs list. Figure 184: New Friendly AP 5 Congure the following parameters:

D MAC Address Species the MAC address of the Friendly AP SSID Species the SSID of the Friendly AP Description Species a brief description of the Friendly AP raft From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Click Maintenance > Friendly APs. 4 In the Friendly APs list, double-click the access point you want to modify. 5 Modify the access point elds as required and click Save. To modify a Friendly AP:

NNote The MAC Address eld cannot be modied Figure 185: Modify Friendly AP ExtremeWireless V10.41.06 User Guide 586 Working with ExtremeWireless Radar Viewing the List of Uncategorized APs Uncategorized APs are discovered but do not fall into any other category. To view a list of Uncategorized APs:

From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Maintenance > Uncategorized APs . ft Figure 186: Uncatagorized APs Table 114: Uncategorized APs Screen - Fields and Buttons FField/Button Description MAC Address SSID Species the MAC address of the uncategorized AP Unique identier attached to the header of packets sent over a wireless local-area network (WLAN) from the uncategorized AP. ExtremeWireless V10.41.06 User Guide 587 Working with ExtremeWireless Radar Table 114: Uncategorized APs Screen - Fields and Buttons (continued) FField/Button Description Manufacturer Lists the AP manufacturer Categorize Selected APs as APs categorized as uncategorized APs can be reclassied as authorized, friendly, or prohibited. For more information, see Reclassifying APs on page 592. 4 Click Export to download the list of Uncategorized APs in .xml format. Viewing the List of Authorized APs The list of Authorized APs includes the APs that an authorized device is permitted to associate with. APs can be added to the list automatically (for example if the AP is active on the current host or its availability partner) or manually. D Re-categorize an AP as Authorized, to protect it from an unwanted countermeasure when there is a non-authorized AP with a problematic SSID (an External Honeypot) in the vicinity of the authorized network and you want to exclude the AP from an undesired counter attack. To view a list of Authorized APs:

From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. raft ExtremeWireless V10.41.06 User Guide 588 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Authorized APs . raft APs categorized as authorized APs can be reclassied as friendly APs. For more information, see Reclassifying APs on page 592. Species a brief description of the authorized AP Species the MAC address of the authorized AP Lists the AP manufacturer Figure 187: Authorized APs Table 115: Authorized APs Screen - Fields and Buttons FField/Button Description MAC Address Description Manufacturer Categorize Selected APs as New Delete Selected Click to create a new authorized AP. For more information, see Adding Authorized APs on page 589. Select an AP from the list of authorized APs, and click to delete them from the list. Adding Authorized APs You do not have to manually add APs to the authorized AP list. The controllers create the list automatically. However, sometimes you may need to do this manually:

ExtremeWireless V10.41.06 User Guide 589 Working with ExtremeWireless Radar An AP of a controller that is not sending information to the Analysis Engine is included on the Scanning APs screen. Devices should be able to roam between that AP and the APs of the controllers managed by the Analysis Engine. When adding a foreign AP (External or Internal Honeypot, or Rogue AP) to the list of Authorized APs, accidental countermeasures applied to that AP can be prevented. You have a third-party AP that its authorized devices should be allowed to use even though the AP is not managed by a controller. To add an Authorized AP 1 To add Friendly access points manually to the Authorized APs list, from the Authorized APs screen, click New. The AAuthorized APs dialog displays. 3 Click Save. The new access point is displayed in the authorized APs list. D 2 In the AAuthorized APs dialog, type the following:

MAC Address Species the MAC address for the AP Description Species a brief description for the AP raft The list of Prohibited APs are APs that you have manually added to the Radar database so that the Radar WIDS-WIPS system will detect them and, if so congured, protect against them. Manually add an AP to the list of Prohibited APs, when a non-authorized AP is a threat, but it cannot be detected by existing threat criteria. To view a list of Prohibited APs:

From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. Viewing the List of Prohibited APs ExtremeWireless V10.41.06 User Guide 590 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Prohibited APs. raft Species a brief description of the prohibited AP Species the MAC address of the prohibited APs Lists the AP manufacturer Threat category APs categorized as prohibited APs can be reclassied as friendly APs. For more information, see Reclassifying APs on page 592. Figure 188: Prohibited APs Table 116: Prohibited APs Screen - Fields and Buttons FField/Button Description MAC Address Category Description Manufacturer Categorize Selected APs as New Delete Selected Click to create a new prohibited AP. For more information, see Adding Prohibited APs on page 591. Select APs from the list of prohibited APs, and click to delete them from the list. Adding Prohibited APs To add a Prohibited AP:

ExtremeWireless V10.41.06 User Guide 591 Working with ExtremeWireless Radar 1 To add access points manually to the Prohibited APs list, from the PProhibited APs screen, click New. The PProhibited APs dialog displays. 2 For MAC Address, specify the MAC address for the Prohibited AP. 3 For Description, enter a brief description of the AP. 4 For Action, select from the following options:

D Report presence only - When the MAC address of the prohibited AP is detected by an Treat like an internal honeypot AP - The device with the MAC address is considered to be as Treat like an external honeypot - The device with the entered MAC address is considered to be harmful as an AP that is 'impersonating' one of the authorized APs. If countermeasures are enabled, no devices will be allowed to associate to this MAC address, including devices of other neighboring enterprises. authorized scanning AP, the prohibited AP's presence will be reported in an event message. This in turn will result in the presence of the MAC being included in the Radar threat reports. No countermeasures will be taken against the device with the MAC address by Radar. as harmful as an AP that is advertising a popular SSID. Authorized devices will be prohibited from roaming to the device with this MAC address. Unauthorized devices and unrecognized devices will be allowed to roam to the device with the MAC address. raft You can manually assign APs from one category to another depending on the APs current classication. Categorize selected APs directly from its current category list. For example, APs on the Friendly and Uncategorized lists can be reclassied as Authorized. 5 Click Save. The new access point is displayed in the Prohibited APs list. For information about reclassifying an existing AP to Prohibited, see . Reclassifying APs To reclassify an AP:

From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. ExtremeWireless V10.41.06 User Guide 592 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance and select one of the AP lists. An AP can be reclassied depending on its current classication. See Table 117. Table 117: AP Classications CCurrent AP Category Friendly Uncategorized Authorized Possible Reclassication Authorized Prohibited Authorized Friendly Prohibited Friendly Friendly Prohibited D 5 Click OK to reclassify the selected APs. APs as. Reclassifying an AP as a Threat Friendly and Uncatagorized APs can be reclassied as a threat. 4 Select one or more APs from the list and choose an available classication from Categorize Selected 1 From the FFriendly or UUncatagorized AP List, select one or more APs and click Prohibited. The RReclassify APs dialog displays. raft Figure 189: Reclassify an AP as a Threat 2 Select a threat classication from the list displayed. 3 Click Save. Related Links Viewing the List of Friendly APs on page 584 Viewing the List of Uncategorized APs on page 587 Working with Radar Reports The Analysis Engine receives reports of threats from multiple APs. Different APs can be reporting the same threat incident at the same time. The Analysis Engine needs a way to decide which reports are actually reports of the same threat. It takes a number of factors into account when making this decision. Location is an important attribute used to decide whether two different reports are actually for the same threat. ExtremeWireless V10.41.06 User Guide 593 Working with ExtremeWireless Radar To view Radar AP reports and statistics:

From the top menu, click Reports. 1 2 In the left pane, click Radar. aft Figure 190: Radar Reports 3 Click on the desired report:

Active Threats on page 595 Active Countermeasures on page 597 Blacklisted Clients on page 598 Radar APs Denied by License on page 599 Collection Engine Status on page 599 WLAN Security Report on page 600 Threat Summary on page 601 Threat History on page 603 Security Threats The Radar reports provide information about security threats. Threat APs are APs that have been detected performing one or more types of attack on the authorized network. Each AP dened on the controller has a text location attribute that can be set using the controller's GUI, CLI, and SNMP agent. By default the location attribute is empty for all APs. It is strongly recommended ExtremeWireless V10.41.06 User Guide 594 Working with ExtremeWireless Radar that you set the location attribute of each AP. The attribute should be set so that APs at the same location have exactly the same location attribute. For example all the APs on the 3rd oor of a building could have the same location, such as "Boston/123 4th street/3rd oor". The controller's multi-edit page provides a convenient way to assign groups of APs to the same location. The types of threat recognized by the Radar WIDS-WIPS system include:

Ad Hoc Device - A device in ad hoc mode can participate in direct device-to-device wireless networks. Devices in ad hoc mode are a security threat because they are prone to leaking information stored on le system shares and bridging to the authorized network. Cracking - This refers to attempts to crack a password or network passphrase (such as a WPA-PSK). The Chop-Chop attack on WPA-PSK and WEP is an example of an active password cracking attack. Denial of Service (DoS) attacks - DoS attacks External Honeypot - An AP that is attempting to make itself a man-in-the-middle by advertising a network. popular SSID, such as an SSID advertised by a coffee shop or an airport. Interference Source - A device that is generating a radio signal that is interfering with the operation D SSID belonging to the authorized network. of the wireless network. An example of an interference source is a microwave oven which can interfere with 2.4GHz transmissions. Roque AP - A rogue AP is an unauthorized AP connected to the authorized wired or wireless Internal Honeypot - An AP that is attempting to make itself a man-in-the-middle by advertising an Prohibited Device - A MAC address or BSSID is detected that matches an address entered manually Performance - Performance issues pertain to overload conditions that cause a service impact. Performance issues aren't necessarily security issues but many types of attack do generate performance issues. raft NNote Surveillance can be passive (purely listening) or active (surveyor sends messages to speed up the process of surveillance). It is only possible to detect active surveillance. Netstumbler and Wellenreiter are examples of active surveillance tools. Spoofed AP - An AP that is not part of the authorized network is advertising a BSSID (MAC address) Surveillance - A device or application that is probing for information about the presence and that belongs to an authorized AP on the authorized network. services offered by a network. into the Radar database. Active Threats The Active Threats report lists all currently detected threats. Active threats are devices that are being detected performing attacks on the authorized network. Threat APs are identied as APs that have been detected to be performing one or more types of attacks on the authorized network. The report only lists currently active threats, not historic threats. For more information, see Threat History on page 603. Viewing Active Threats Scan Results 1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 595 Working with ExtremeWireless Radar 2 In the left pane, click Radar. 3 Click Active Threats. Figure 191: Active Threats Report Table 118: Active Threats Report - Fields and Buttons FField/Button Description Detected Active At Threat MAC Address D Threat Category Threat MAC address of the device. Date and time that the threat was identied. Countermeasures Applied Location - AP Name Location - RSS Additional Details Type of threat. Name of the threat AP. Indicates if a countermeasure has been applied. Threat AP Received Signal Strength (displayed in dBm). For more information, see Security Threats on page 594. Details of the threat including frequency, SSID, and Rogue Threats. Rogue threats details are accessed by clicking 3 dots ... that display in the column. The following parameters display in the Rogue Details dialog:

raft When the Threat Report is based on MAC address, we can determine the SSID and encryption type associated with the threat. This information is not preserved after upgrade, and historical data is aged every 30 days regardless of upgrade. address is automatically assigned via DHCP (Dynamic Host Conguration Protocol) (DHCP is through the Rogue AP). Received IP address: Wired test packet source IP address. TTL difference: TTL (Time-To-Live or hop limit) difference between Sent MAC address: Sent wireless test packet source MAC address. Received MAC address: Received wired test packet source MAC Sent IP address: Wireless test packet source IP address. This IP address. sent wireless test packet TTL and received wireless test packet TTL. For example, if the TTL of the sent wireless test packet is 64 and the TTL of the received wireless test packet is 62, then the TTL difference is 2 indicating the packet went through 2 hops. Learned gateway: Wireless gateway IP address as specied from the DHCP server (DHCP is through the Rogue AP). ExtremeWireless V10.41.06 User Guide 596 Working with ExtremeWireless Radar Modifying the Page's Refresh Rate:

1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To add a specic threat to the list of Friendly APs, select the threat and click Add to Friendly List. 3 To refresh the page, click Refresh. 4 To export a copy of the report in XML format, click Export. 5 To close the report window, click Close. Active Countermeasures The Active Countermeasures report lists each AP currently taking countermeasures. The list also contains the type of attack being countered, when the counter attack started, which channel is being defended, the type of countermeasure in use and when appropriate, the identiers for the target of the attack. D Viewing Active Countermeasures Scan Results From the top menu, click Reports. 1 2 In the left pane, click Radar. The AAvailable Radar Reports screen displays. 3 Click Active Countermeasures. The AActive Countermeasures Report screen displays. raft Description Table 119: Active Countermeasures Report - Fields and Buttons Field/Button AP Name AP Serial Number Threat Category Countermeasure Name of the AP taking countermeasures. Serial number of the AP For more information, see Active Threats on page 595. Indicates type of countermeasure applied. Threat MAC Address MAC address of the device being countered. Started At Date and time that the threat was identied. ExtremeWireless V10.41.06 User Guide 597 Working with ExtremeWireless Radar Modifying the Pages Refresh Rate:

1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Blacklisted Clients The Blacklisted Clients report lists all devices that are currently on the blacklist (or removed from the whitelist if the list is in whitelist mode) because of the application of countermeasures to an attack. Clients automatically added to the Blacklist will be removed automatically after the interval congured passes. Station addresses manually added to the Blacklist (or manually removed from the Whitelist) do not appear in this report. D Viewing Blacklisted Clients Scan Results 1 2 In the left pane, click Radar. 3 Click Blacklisted Clients. The Blacklisted Clients Report screen displays. From the top menu, click Reports. raft Description Table 120: Blacklisted Clients Report - Fields and Buttons FField/Button Blacklisted Address MAC address of the blacklisted device. Blacklisting Started at Blacklisting Ends at Reason Date and time when the device was added to the blacklist. Date and time when the device was removed from the blacklist. Reason for blacklisting the device. To modify the pages refresh rate:

1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. ExtremeWireless V10.41.06 User Guide 598 Working with ExtremeWireless Radar 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Radar APs Denied by License The Radar APs Denied by License report lists all currently unlicensed APs. Viewing Radar APs Denied by License Results From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Radar APs Denied by License. The RRadar APs Denied by License screen displays. D raft Identies the name of the assigned Radar APs denied by license. Identies the associated scan prole for the assigned AP. Table 121: Radar APs Denied by License Report - Fields and Buttons Field/Button Description Assigned APs Scan Prole Collection Engine Status You can view a report on the connection status between the Analysis Engine and the remote data collector engine on each controller. To view the collection engine status:

From the top menu, click Reports. 1 2 In the left pane, under Radar, click Collection Engine Status. ExtremeWireless V10.41.06 User Guide 599 Working with ExtremeWireless Radar Ensure that the Data Collector is running on the remote controller. If no box is displayed, the Analysis Engine is not attempting to connect with that Data Collector Engine. The boxes display the IP address of the Data Collector engine. The status of the Data Collector engine is indicated by one of the following colors:

Green The Analysis Engine has connection with the Data Collector on that controller. Yellow The Analysis Engine has connected to the Data Collector but has not synchronized with it. D Red The Analysis Engine is aware of the Data Collector and attempting to connect. NNote If the box is displayed red and remains red, ensure your IP address is correctly set up to point to an active controller. If the box remains yellow, ensure the Data Collector is running on the remote controller. raft The WLAN Security Report creates a PDF identifying security-related problems in the conguration of the wireless controller WLAN Services. The report identies issues and provides guidance for their resolution. The report can be printed or saved locally. To modify the pages refresh rate, type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. 3 To close the report window, click Close. 1 Viewing WLAN Security Report Scan Results WLAN Security Report From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click WLAN Security Report. ExtremeWireless V10.41.06 User Guide 600 Working with ExtremeWireless Radar Figure 192: WLAN Security Report Threat Summary The Threat Summary report includes both Active and Historical Threats displayed in the form of pie chart graphs. A device can be counted more than once if it is the source of more than one threat. Each threat category is highlighted using a different color to quickly identify specic threats. ExtremeWireless V10.41.06 User Guide 6601 Working with ExtremeWireless Radar Viewing the Threat Summary From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Threat Summary. The TThreat Summary screen is displayed. ft List of possible threat categories that are displayed on the summary report. For more information, see Security Threats on page 594. Total number of active threats identied for each threat category. Total number of threats that are no longer active but have been retained on the list for historical tracking purposes. Threats are identied for each threat category. Table 122: Threat Summary Report - Fields and Buttons Field/Button Description Threat Category Active Threats Historical Threats ExtremeWireless V10.41.06 User Guide 602 Working with ExtremeWireless Radar Modifying the Page's Refresh Rate 1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. 2 To refresh the page, click Refresh. 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Threat History Viewing the Threat History From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Threat History. The TThreat History screen displays. D raft Date and time when the threat was most recently reported. Date and time that the threat was identied. MAC address of the device. Type of threat. Table 123: Historical Threat Report - Fields and Buttons Field/Button Description Last Reported First Detected Threat MAC Address Threat Threat Category Currently Active Location - AP Name Location - RSS Additional Details For more information, see Active Threats on page 595. Current status of the threat. Name of the threat AP. Threat AP Received Signal Strength (displayed in dBm). Detail information on the specic threat. When the Threat Report is based on MAC address, we can determine the SSID and encryption type associated with the threat. This information is not preserved after upgrade, and historical data is aged every 30 days regardless of upgrade. ExtremeWireless V10.41.06 User Guide 603 Working with ExtremeWireless Radar 4 To export a copy of the report in XML format, click Export. 5 To close the report window, click Close. D raft ExtremeWireless V10.41.06 User Guide 6604 17 Working with Location Engine LLocation Engine Overview Location Engine on the Controller Deploying APs for Location Aware Services Conguring the Location Engine ExtremeLocation Support Location Engine Overview D Station location tracking is one of the advanced ExtremeWireless Radar features designed for managing a wireless environment and its resources. The Location Engine works in conjunction with Extreme Management Center maps to dene specic oor plan areas for Location Aware Services. The Location Engine determines location based on measured Received Signal Strength (RSS) of the client stations at the AP. The location algorithm uses RF nger printing based on a Path Loss model and determines location by triangulating RSS reported from one or more APs. Estimating location using readings from multiple APs provides a more accurate location estimate. Estimating location using RSS from a single AP is sufficient to determine the location of client in terms of proximity to the associated AP. The client location is indicated on the map as a circle around the AP. Estimation using multiple RSS offers a pinpoint location estimate of the client. The client location is indicated as a pin, in the most probable position, on the map. The colors displayed around the pin indicate the level of condence that the client is physically located there. raft The Location Engine can be congured to track on-demand users, associated users, and unassociated users:

An on-demand user is a client that is manually added to a preferred list of clients. Space is guaranteed for on-demand users in the Location Engine table. An on-demand user can be either an associated user, such as an employee, or an unassociated user, such as a rogue client that can be tracked as a possible network threat. The Location Engine tracks location of multiple clients simultaneously and returns position relative to the oor plan. An associated user is an authenticated client. An associated user joins the SSID provided by the AP by simply associating to the open or protected SSID. Location Engine can track location for every associated client up to the controller limit of associated clients. An unassociated user is a client that is not authenticated but is in the designated area. Location Engine can track these clients. No additional license is required to use the Location Engine functionality in the controller. However, to draw maps and to visualize location tracking, Extreme Management Center is required, which comes with its own licensing requirements. ExtremeWireless V10.41.06 User Guide 605 Working with Location Engine Location Solution Architecture The ExtremeWireless controller is at the center of the Location Aware Services solution. Location Engine collects RSS reading from APs and displays location data using Extreme Management Center maps or other third-party applications. The following diagram illustrates the solution architecture. ft Figure 193: Components of Location Aware Services Solution Dynamic Filtering Dynamic ltering is a primary use case for Location Aware Services. This feature controls client access based on location. Customers can use Location Aware Services in schools and hospitals to dene access parameters within a designated area. This functionality combined with the role assignment from Network Access Control (NAC), makes it possible to implement dynamic ltering on the client location. Network access rights (access to servers or applications) can depend on the client location -- inside or outside the dened area. Role assignment is accomplished dynamically by the controller and NAC as client moves within the oor plan. ExtremeWireless V10.41.06 User Guide 6606 Working with Location Engine Bulk Reporting Location Engine can export bulk reporting data for use in third-party applications. For example, use Location Engine data to determine traffic ow in large venues and time-of-use analytics. The controller's bulk reporting data includes location of the client, the serial number of the associated AP, the name of the oor plan, and more. Third-party location client applications can synchronize their oor maps directly from the controller (either on-demand or on a scheduled basis using the controller CLI). Although it is possible to access the Location Engine data directly using a CLI session, most users will choose to access location data using Extreme Management Center maps or a third-party location client application. Location Engine on the Controller Location Engine tracks location of multiple clients simultaneously and returns position relative to the oor plan. The following are components of the Location Engine:

HHeat Map. The Location Engine generates a heat map of each AP on a user-provided oor plan. The D Location Engine analyzes the oor plan and considers the presence and material of structures or obstacles, such as walls, when calculating the predictive coverage map. Extreme Management Center is required to dene the oor plan. Be sure to include the presence of walls and obstacles when dening the oor plan. For information about dening a oor plan, see the Extreme Management Center User Guide. Localization algorithms. Location Engine algorithms scan all APs that report the client and select RSS readings from three or more APs that are most likely to provide the best location estimates. Using the selected RSS readings, location is triangulated and returned as the Catresian coordinates relative to the oor plan. raft Notication. Location is reported immediately on a real-time stream and as a notication on the event stream (syslog). The controller tracks the client location and can determine when a client is inside a predened area. You can dene up to 16 areas of interest per oor map using Extreme Management Center. The Location Engine offers a Track Area Change feature, that, when enabled, triggers a notication each time a client moves from one area to another. The notication events can be used for improved radio resource management such as Network Access Control (NAC). For information about how to enable Track Area Change, see Conguring the Location Engine on page 609. track the number of clients that can be supported by the controller. If the controller is part of an availability pair, it can also track the clients supported by the availability partner, and Location Engine is not restricted by oor size. Simultaneous updates. Location Engine simultaneously updates the location of tracked clients. It can Client location is presented in Extreme Management Center. Figure 194 illustrates a blue pin placed on the most probable position of the client. The map is colored according to the expected probably of the client position . Black is the most likely and yellow is the least likely position. ExtremeWireless V10.41.06 User Guide 607 Working with Location Engine Figure 194: Extreme Management Center Floor Plan raft Deploying APs for location tracking requires additional consideration above the standard AP deployment guidelines for coverage and capacity. The following are best practices for AP deployment:

Minimum Received RSS. No less than three APs should be detecting and reporting the RSS of any client station. Only RSS reading stronger than -75 dBm are used by the Location Engine. Use the same AP model for the entire oor plan, so that the RSS readings in that area will have less Design your oor plan with the APs installed at the corners of the oor plan, along the perimeter of the location area. (An area is considered a closed polygon.) Do not cluster APs in the center of the location area. The following illustration shows a recommended AP placement. variation. Deploying APs for Location Aware Services ExtremeWireless V10.41.06 User Guide 6608 Working with Location Engine Figure 195: Recommended AP Placement The maximum distance between APs depends on environmental factors such as the presence of walls and structures, but as rule of thumb, in a location aware deployment, place the APs 10 to 20 meters apart. Conguring the Location Engine Install APs at the same height on the wall, and do not install APs behind walls or ceilings. Install APs away from metal structures like poles or racks, because metal can affect the radiated D pattern. When location accuracy is paramount, augment your in-service deployment with Guardian APs. Guardian APs scan multiple channels where in-service APs operate on a single channel. Therefore, Guardian APs are capable of registering readings from more clients than in-service APs. Guardian APs also increase the number of triangulation points. The Guardian mitigates the problem of non-probing clients and is capable of sensing a client based on the data packets. For more information, see Conguring an AP as a Guardian on page 221. raft Location Engine conguration involves dening environmental factors in the oor plan, location targets, area change notication, and client targets. The following information is provided to help you congure the Location Engine:

Enabling the Location Engine on page 609 Location Batch Reporting on page 611 Creating a New Destination URL on page 613 Creating a New On-Demand User on page 613 Downloading a Floor File on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 Enabling the Location Engine From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. ExtremeWireless V10.41.06 User Guide 609 Working with Location Engine 3 To Enable/Disable the Location Engine, select or clear the Location Engine check box. raft Select a mode that best matches the environment identied by the oor plan. Choose from one of the following modes from the drop-

down list:

Indoor open space (halls, auditoriums) Office Environment with light divisions (cubicles) Office Environment with dry wall divisions Office Environment with hard divisions (brick) Interior Walls (need be dened in the oor plan Enter the height of the AP based on its location on the wall. Table 124: Location Engine Settings Dialog - Fields and Buttons FField/Button Description Environment Settings Default AP Height (cm) Default Environmental Model None Clients Locator does not collect or triangulate RSS readings. Locator tracks active sessions only. ExtremeWireless V10.41.06 User Guide 610 Working with Location Engine Table 124: Location Engine Settings Dialog - Fields and Buttons (continued) FField/Button Description All Locates all active users and all non-associated users (MAC ) around deployed APs located within the signal range. RSS readings from non-

associated users are included in the Location Engine table. Note: The Location Engine table is shared between all tracked users. This table does not increase in size and does not reserve space for associated users. Once the number of tracked users exceeds the limit,additional users will not be added to the table. Users remain in the table until they time out. Users designated as On-Demand are guaranteed space in the Location Engine table. Track Area Change The controller tracks the client location and can determine when a client is inside a predened area. Select Track Area Change to trigger a notication when a client moves from one area to another. Use the notication events to improve radio resource management such as Network Access Control (NAC). D On-Demand Users Add Delete Selected Advanced Save Click to delete the selected on-demand user. Click to create a new on-demand user. For more information, see Creating a New On-Demand User on page 613 Click to open the AAdvanced dialog, which lists available oor plans. From the AAdvanced dialog, you can upload and dowload oor plans. For more information, see Downloading a Floor File on page 614 Displays a list of known MAC addresses present in the area, for example, a list of employees. On-demand users are guaranteed space in the Location Engine table. raft Click to save changes. When the Location Engine is enabled and congured to publish locations, it posts location data in XML format to a given location. The location data is pushed to up to ve given destinations periodically within the given time interval. Batch reporting continues until Location Batch Reporting is disabled, the Location Engine is disabled, or the controller is powered off. In location-based applications and user traffic analytics, integrating partners often require more detail than simply the location of a MAC address. The client reporting option allows users to generate a report with details from the MU-Table. Location Batch Reporting The AP reporting option provides AP details that give a third-party App server context for the AP location. To generate a report:

From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. 3 To enable/disable the Location Batch Reporting, in the left pane, select Location Batch Reporting then select the Location Batch Reporting check box. ExtremeWireless V10.41.06 User Guide 611 Working with Location Engine 4 To enable/disable the Client Reporting, in the left pane, select Location Batch Reporting then select the Clients Detail Reporting check box. 5 To enable/disable the AP Detail Reporting, in the left pane, select Location Batch Reporting then select the AP Detail Reporting check box. Figure 196: Reporting Options raft The following details are provided with the AP Detail Reporting option:

name serial hostname ipAddress macAddress iotMacAddress iotRadioMode iotProtocol iBeaconProperties iBeaconUUID iBeaconMajor iBeaconMinor NNote The IoT data is provided when the IoT port is enabled and provisioned. IoT is enabled by default for supported APs. ExtremeWireless V10.41.06 User Guide 612 Working with Location Engine Table 125: Reporting Fields and Buttons FField/Button Description Report all station locations every (X) minutes Select a time (in minutes) for station reporting from the drop-down list. Dimension Unit Login Password Destination URL Add Select a dimension unit, from the drop-down list, for measuring location destinations. (Displayed for Location Batch Reporting only.) Login ID of the destination URL. Password of the destination URL. List of destination URLs. Click to create a new Destination URL. For more information, see Creating a New Destination URL on page 613. Save Delete Selected D Click to save changes. Creating a New Destination URL Click to delete the selected Destination. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine > Location Batch Reporting and select either Location Batch Reporting or Client Detail Reporting. 3 Click Add. The DDestination URL dialog displays. raft 4 Enter a user ID and password for the destination URL. 5 Enter a URL for the new destination. 6 Click OK. Creating a New On-Demand User From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. ExtremeWireless V10.41.06 User Guide 613 Working with Location Engine 3 Click Add. The OOn-demand User dialog displays. 4 Enter a MAC Address for the new on-demand user. 5 Click OK. Extreme Management Center Floor Files Generate oor les using Extreme Management Center. Floor les have the le type .fxml. Once .fxml les are generated locally, they automatically display on the Location Engine Settings AAdvanced dialog. D Related Links It is possible to download .fxml les from a server, but it is most common to generate the le locally using Extreme Management Center. Downloading a Floor File on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 The Download button is always enabled. All information about the oor plan is contained in the le being downloaded including unique identiers for the oor plan. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. raft Downloading a Floor File ExtremeWireless V10.41.06 User Guide 614 Working with Location Engine 3 Click Advanced. The AAdvanced dialog displays. D 4 Click Download. The DDownload and Import Floor Plan File dialog displays. raft ExtremeWireless V10.41.06 User Guide 615 Working with Location Engine Table 126: Download and Import Floor File Dialog - Fields and Buttons FField/Button Description Protocol Server User ID Password Conrm Directory Select the transfer protocol from one of the following:

FTP SCP IP address of the server containing the oor le. Required ID to access the server. Password required for access to the server. Enter the password for conrmation Location of the oor le on the selected server Uploading a Floor File File name of the oor plan le on the selected server. 5 Click Download to import the oor plan, or click Close to cancel the import. Related Links Filename D Extreme Management Center Floor Files on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 The Upload Selected button is enabled when a row within the list of oor plans is highlighted. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. 3 Click Advanced. The AAdvanced dialog displays. raft ExtremeWireless V10.41.06 User Guide 616 Working with Location Engine D 4 Select a oor le from the list of oor les. 5 Click Upload Selected. The Upload Floor Plan File dialog displays. raft Table 127: Upload Floor Plan File Dialog - Fields and Buttons FField/Button Description Protocol Server Select the transfer protocol from one of the following:

FTP SCP IP address of the server where the le will be exported. ExtremeWireless V10.41.06 User Guide 617 Working with Location Engine Table 127: Upload Floor Plan File Dialog - Fields and Buttons (continued) FField/Button Description User ID Password Conrm Directory Filename Required ID to access the server. Password required for access to the server. Enter the password for conrmation Location of the oor le directory on the destination server. File name of the oor plan le on the destination server. 6 Click Upload to export the oor plan, or click Close to cancel the export. Related Links Extreme Management Center Floor Files on page 614 Downloading a Floor File on page 614 Deleting a Floor File on page 618 D Deleting a Floor File From the top menu, click WIPS. 1 2 In the left pane, click Location Engine . The LLocation Engine Settings screen displays. 3 Click Advanced. The AAdvanced dialog displays. raft 4 Select a oor le from the list of oor les. Only one oor le can be deleted at a time. 5 Click Delete Selected to delete the oor le from the list. Click OK to conrm the delete operation. 6 Click Close. ExtremeWireless V10.41.06 User Guide 618 Working with Location Engine RRelated Links Extreme Management Center Floor Files on page 614 Downloading a Floor File on page 614 Uploading a Floor File on page 616 ExtremeLocation Support ExtremeWireless supports integration with ExtremeLocation for on-premise controller and ExtremeCloud deployments using AP39xx. Related Links ExtremeLocation is a premier location tracking and analytics solution by Extreme Networks. Using HTTPS with self-signed certicates, an AP opens WebSocket connections to the ExtremeLocation Server and reports RSS signal strength readings based on the ExtremeLocation conguration. An ExtremeLocation user associates the Tenant ID and Site information with the AP MAC address over AP WebSocket. D Conguring ExtremeLocation on page 619 The AP can be the RSS source for both Location Engine (integrated with Extreme Management Center) and ExtremeLocation at the same time. RSS information travels both through the WASSP tunnel to the controller and through WebSocket to ExtremeLocation. The AP operates as the ExtremeLocation client in both modes: as an in-service AP (while providing service to the associate users, collects RSS on the same channel) and as a Guardian AP (scan multiple channels and provide RSS on the channels scanned). Channels and dwell time are dened in the Guardian Group conguration. raft To congure ExtremeLocation support for ExtremeWireless, do the following:

1 Go to WIPS > Location Engine > ExtremeLocation. Conguring ExtremeLocation ExtremeWireless V10.41.06 User Guide 619 Working with Location Engine 2 Check Report to ExtremeLocation. D Figure 197: ExtremeLocation Conguration 3 Congure the following parameters:

Table 128: ExtremeLocation Conguration Parameters FField Description raft RSS threshold for reporting location data. Valid values are -90 to

-70 dBm. The IP address or FQDN (fully-qualied domain name) of the LocationEngine Server. Reporting interval in seconds. 4 Select one or more APs to assign for ExtremeLocation support. Use the search eld to nd a specic AP in the list. AP39xx models are supported. Server Address Minimum RSS Reporting Report every number of seconds 5 Click Save. Related Links ExtremeLocation Support on page 619 ExtremeWireless V10.41.06 User Guide 620 18 Working with Reports and Statistics AApplication Visibility and Device ID Viewing AP Reports and Statistics Available Client Reports Viewing Role Filter Statistics Viewing Topology Reports Viewing Mobility Reports Viewing Controller Status Information Viewing Routing Protocol Reports Viewing RADIUS Reports Call Detail Records (CDRs) D This chapter describes the various reports and statistics available in the Wireless system including:

Viewing AP Reports and Statistics Viewing Active Clients Viewing Role Filter Statistics Viewing Topology Reports Viewing Mobility Reports Viewing Controller Status Information Viewing Routing Protocol Reports Call Detail Records (CDRs) Application Visibility and Device Identication raft With ExtremeWireless, you can identify devices and applications on the wireless network. From the dashboard and the Active Client report, you can view:

IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. Application Visibility and Device ID ExtremeWireless V10.41.06 User Guide 621 Working with Reports and Statistics ftFigure 198: Application Visibility by WLAN ExtremeWireless V10.41.06 User Guide 6622 Working with Reports and Statistics aftFigure 199: Application Visibility by Client Device Identication on page 625 Enabling Application Visibility with Device Identication on page 626 Application Visibility on page 623 RRelated Links Displaying Client Details on page 643 Wireless Assistant Home Screen on page 34 Application Visibility With the ability to gather application analytics, you can engineer wireless traffic to support company policies, preserve bandwidth, identify critical applications, assign higher priority and QOS values, and enhance network security. Application Visibility and Application Enforcement makes it possible to block restricted web content and block or limit peer-to-peer protocols to preserve network bandwidth. ExtremeWireless V10.41.06 User Guide 623 Working with Reports and Statistics With ExtremeWireless, you can view the top 5 application groups by WLAN (Wireless Local Area Network) from the controller Home dashboard and the top 5 application groups for each client from the Client Details report. The Applications by WLAN pie chart displays the top 5 application groups running on that WLAN. ExtremeWireless cycles through the active WLAN Services displaying statistics. To view detailed statistics, enable Application Visibility during the WLAN conguration; then, on the Home dashboard, click the displayed pie chart under Applications by WLAN. Or, click Enable Application Visibility from the Home dashboard. The controller and AP capture statistics for 31 pre-selected application groups. The top 5 application groups are displayed based on bytes and throughput over the last two-minute measuring period. The stats for each WLAN display for 30 seconds on a continuous cycle. Historical statistical data is available from ExtremeCloud and Extreme Application Analytics. Related Links L7 Conguration on page 307 Note For application enforcement, you must enable Application Visibility in WLAN conguration. D To manage wireless traffic in support of company policies, dene Layer 7 lter rules from the FFilter Rule Denition dialog. Layer 7 represents the application layer of the OSI communication module. Dene policy rules with access control actions for specic applications or groups of applications. Application visibility supports standard Extreme Application Analytics signatures. You can also congure up to 64 extended web application signatures. raft To classify a ow, the DPI engine must examine both client and server packets. The controller enforces policy for downstream traffic and the AP enforces policy for upstream traffic. For tunnel traffic, the DPI engine must examine the packets at the controller. Enforce this by clearing the AP Filtering check box on the PPolicy Rules tab. Device Identication on page 625 Wireless Assistant Home Screen on page 34 Enabling Application Visibility with Device Identication on page 626 Application Visibility and Device ID on page 621 Application Control for Tunneled Traffic ExtremeWireless V10.41.06 User Guide 624 Working with Reports and Statistics Device Identication D Figure 200: Conguring Policy Rules for Downstream Traffic at the Controller ExtremeWireless can identify the device type and operating system used by clients associated with an ExtremeWireless AP. Gathering this information in a site deployment furthers mobile user statistical reporting on the controller or Cloud. This feature is supported on the ExtremeWireless AP38xx or AP39xx series APs. This discovery is implemented on the AP through deep packet inspection of the DHCP (Dynamic Host Conguration Protocol) and HTTP packets. Regardless of how the traffic is bridged -- at the controller or routed -- ngerprinting is handled on the AP. This approach offers a consistent implementation that does not require a large processing load. The AP ngerprints the same messages as Extreme Access Control. raft The precision of the clients identity improves overtime. Each DHCP ngerprint has an assigned weight in the XML le. HTTP ngerprints are assigned a greater weight than DHCP ngerprints. The AP tracks the weight of a clients ngerprint. If a client is identied with a ngerprint that has a greater weight than what was previously stored in the database, the new device identity and weight value are updated in the database. Device ID is based on a DHCP database. The database is dened by an XML le that is built into both the AP and controller image. The XML le can be updated each time the image le is updated. The AP reports device identity changes to the controller and to the Cloud. This information is available to the user through the ExtremeWireless dashboard and through the controller reporting system. The client device type is included in all data streams where client parameters are included. For instance, this information is available to the ExtremeWireless Location Engine and to Extreme Management Center. Related Links Application Visibility and Device ID on page 621 Wireless Assistant Home Screen on page 34 Displaying Client Details on page 643 ExtremeWireless V10.41.06 User Guide 625 Working with Reports and Statistics Enabling Application Visibility with Device Identication To view statistics on the applications and devices associated with a specic WLAN Service, congure the WLAN Service with Application Visibility enabled. You can enable visibility from the WWLAN Services conguration screen or temporarily enable visibility from the HHome screen dashboard. To enable Application Visibility from the WLAN Service:

1 Go to VNS > WLAN Services and select a WLAN Service or click New. aft Figure 201: Application Visibility Check box Option 2 Check the App Visibility option and click Save. Note You can enable Application Visibility from the Home dashboard for WLAN Services that do not have this conguration option enabled. Related Links Application Visibility on page 623 Device Identication on page 625 Wireless Assistant Home Screen on page 34 ExtremeWireless V10.41.06 User Guide 626 Working with Reports and Statistics Viewing AP Reports and Statistics To view AP reports:

From the top menu, click Reports. aft Viewing Statistics for APs Several displays are snapshots of activity at that point in time on available APs:

Active APs Wired Ethernet Statistics Wireless Statistics Admission Control Statistics Mesh Statistics Wireless Load Groups AP Availability AP Inventory Channel Inspector AP Performance by Radio AP Performance by SSID and Radio AP Accessibility AP Dashboard. See AP Dashboard on page 157 ExtremeWireless V10.41.06 User Guide 6627 Working with Reports and Statistics The statistics displayed are those dened in the 802.11 MIB, in the IEEE 802.11 standard. Viewing Active Wireless APs Statistics in the Active Wireless APs report are expressed in respect to the AP. For example, Packets Sent indicates the packets the AP has sent to a client and Packets Recd indicates the packets the AP has received from a client. From the top menu, click Reports. 1 2 Click the Active APs display option. The AActive Wireless APs display opens in a new browser window. D raft Figure 202: Active Wireless APs Report Note IoT column indicates the IoT status for an AP. Valid values are:

Off. The iBeacon application is not running. iBeacon. The iBeacon application is running. N/A. IoT is not supported on this AP. Only AP models AP39xx support IoT. ExtremeWireless V10.41.06 User Guide 628 Working with Reports and Statistics Viewing Wired Ethernet Statistics:

From the top menu, click Reports. The AAvailable AP Reports screen displays. 1 2 Click the Wired Ethernet Statistics display option. The WWired Ethernet Statistics by Wireless APs display opens in a new browser window. Viewing Wireless Statistics:

D 3 In the left pane. click a registered AP to display its information. From the top menu, click Reports. 1 2 Click the Wireless Statistics display option. The WWireless Statistics by Wireless APs display opens in a new browser window. raft ExtremeWireless V10.41.06 User Guide 629 Working with Reports and Statistics 3 In the Wireless Statistics by Wireless APs display, click a registered AP to display its information. 4 Click the appropriate tab to display information for each Radio on the AP. Viewing Admission Control Statistics by Wireless AP:

From the top menu, click Reports. 1 2 Click the Admission Control Statistics display option. The AAdmission Control Statistics by Wireless AP display opens in a new browser window. D information:

3 In the Admission Control Statistics by Wireless AP display, click a registered AP to display its 4 The Admission Control Statistics by Wireless AP lists the TSPEC statistics associated with this AP:

raft AC Access class where TSPEC is applied, Direction Inbound, Outbound or Bidirectional, MDR Mean Data Rate NMS Nominal Packet Size SBA Surplus Bandwidth (ratio) The following statistics are of measured traffic:

Rate Rate in 30 second intervals (inbound and outbound) Violation Number of bits in excess in the last 30 seconds (inbound and outbound) Viewing Mesh VNS Wireless AP Statistics:

1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 630 Working with Reports and Statistics 2 From the Available AP Reports screen, click Mesh Statistics. The MMesh Statistics display opens in a new browser window. D The Rx RSS value on the Mesh Statistics display represents the received signal strength (in dBm). Viewing Load Balance Group Statistics The Active Wireless Load Groups report lists all load groups, and for the selected load group, all active AP radios. raft The AActive Wireless Load Groups report opens in a new browser window. Reports display differently when reporting on client balance load groups and radio preference load groups. To view the active wireless load groups report:

From the top menu, click Reports. 1 2 Click the Wireless Load Groups report. About Radio Preference/Load Control Statistics The statistics reported for each radio preference load balance group are:

Members The number of AP members ExtremeWireless V10.41.06 User Guide 631 Working with Reports and Statistics The statistics reported for each member of the load balance group are:

AP AP name Band Preference Status The operational status: enabled or disabled Probes Declined The number of probes declined Auth/Assoc Requests Declined The number of authentications or associations declined Load Control Radio 1 Status The operational status: enabled or disable Rejected The number of clients declined at the rst association attempt Radio 2 Status The operational status: enabled or disabled Rejected The number of clients declined at the rst association attempt Returned The number of clients declined at the second association attempt D Load balance group statistics are reported on the foreign controller when APs fail over with load groups from a different controller indicated with an (F) following the load group name. raft About Client Balancing Statistics Reports In a client balancing/load control statistics report, the statistics reported for each client balancing load balance group are:

Members Number of radio members Clients Total number of clients for all radio members Average Load Average load for the group The reported average load may not be correct in a failover situation. If some APs in the load balance group fail over the foreign controller, those APs will report to the foreign controller. The member APs will continue to use the member count for the whole group, but the member count displayed on the controller will be for only those APs that are reporting. Since the member count reported on the ExtremeWireless V10.41.06 User Guide 6632 Working with Reports and Statistics controller is not the complete set, the average will not be consistent with what the APs are using for the state determination. The statistics reported for each member of the load balance group are:

AP AP name Radio Radio number Load Load value (number of clients currently associated with the AP) State Load state Probes Declined Auth/Assoc Requests Declined Rebalance Event Clients removed because of an over-loaded state Viewing Wireless AP Availability In session availability, the Wireless Availability report displays the state of both the tunnels active tunnel and backup tunnel on both the primary and secondary wireless controllers. The report identies SIAPP sub-groupings and provide separate group statistics for each sub-group. When the load group includes sub-groups, Average Load, in red, is the average of the entire group. The average for each sub-group is also reported. The sub-group average is reported in red when group membership changes and not all members have been updated with the new member count. D Load balance group statistics are reported on the foreign controller when APs fail over with load groups from a different controller indicated with an (F) following the load group name. raft In the report, each AP is represented by a box. The label, Foreign or Local, indicates whether the AP is local or foreign on the controller. The color in the upper pane of the box represents the state of the tunnel that is established to the current controller. The report uses a Color Legend to indicate the tunnel state:

Green AP has established an active tunnel. Blue AP has established a backup tunnel. Red AP is not connected. NNote The current controller is the one on which the AP Availability report is viewed. The color in the lower pane of the box represents the state of the tunnel that is established with the other controller. For the ease of understanding, take the example of the following scenario:

Controller1 and Controller2 are paired in session availability A Wireless AP has established an active tunnel to Controller1. The same AP has established a backup tunnel to Controller2. If you open the Wireless AP Availability report on Controller2, the report will appear as follows:

ExtremeWireless V10.41.06 User Guide 633 Working with Reports and Statistics In the above example, the circled AP has established a backup tunnel to the foreign (secondary) controller, and an active tunnel to the local (Primary) controller. D AP Inventory Reports To view reports:

From the top menu, click Reports. 1 2 In the AAvailable AP Reports list, click the report you want to view. Note All AP Inventory reports open in a new browser window. raft Note If you open only automatically refreshed reports, the Web management session timer will not be updated or reset. Your session will eventually time out. The following is an example of the Wireless AP Inventory report:

ExtremeWireless V10.41.06 User Guide 634 Working with Reports and Statistics Table 129 lists the column names and abbreviations found in the AP Inventory report:

Table 129: AP Inventory Report Columns CColumn Name Description Wireless AP (Serial) Includes AP type, AP name, serial number, and role (including role type) Topology HW SW Country Antennas Ethernet port and associated IP address of the interface on the controller through which the AP communicates. Hardware version of the AP. Software version executing on the AP. Country in which the AP is deployed Antennas used Indicates ports on the AP39xx with low power status. Feature available for AP39xx only. Power Status D Secure tunnel mode Sec. Tunnel Cert. SSH Enabled or disabled SSH access (enabled or disabled) AP certication (enabled or disabled) Multicast Assembly (enabled or disabled) Location-based service (enabled or disabled) Broadcast disassociation (enabled or disabled). Poll timeout. If polling is enabled, a numeric value. raft 802.11a radio. The data entry for an AP indicates whether the a radio is on or off. The physical address of the AP's wired Ethernet interface. 802.11b protocol enabled. Possible values are on or off. 802.11g protocol enabled. Possible values are on or off. 802.11n protocol enabled. Possible values are on or off. Poll interval. If polling is enabled, a numeric value. As dened on the AAP Properties screen. Radios: 1 or 2. DTIM period LBS Mcast Assembly BD Persistence P/To P/I Wired MAC Description Rdo Ra Rb Rg Rn DP BP RT FT Req Ch Ch / Tx Aj TxMn Beacon Period RTS Threshold Fragmentation Threshold Last requested channel Current channel Tx power level Auto Tx Power Ctrl Adjust when ATPC is enabled Minimum Tx power, in decibels ExtremeWireless V10.41.06 User Guide 635 Working with Reports and Statistics Table 129: AP Inventory Report Columns (continued) CColumn Name Description TxMx ATT Dom MnBR Pmb PM PR Maximum Tx power, in decibels Attenuation for APs that support professional antenna installation. RF domain Minimum Basic Rate (For more information, see the Wireless AP radio conguration tabs.) Preamble (long, short) Protection Mode Protection Rate PT Protection Type VNS Name: MAC D 20MHz, 40MHz, or auto 11n Channel Width 11n Guard Interval Also called BSSID, this is the MAC address of a (virtual) wireless interface on which the AP serves a BSS/VNS. There could be 8 per radio. Assignment (address assignment method) Enabled only if 11n Channel Width is 40MHz If 11n Channel Width is 40MHz, long or short Protects high throughput transmissions on primary channels from non-11n APs and clients. Enabled or disabled. Maintain MU sessions on the Wireless AP when the AP loses the connection to the controller. raft Wireless AP's IP address if statically congured (same as the Static Values button on the AAP Static Conguration screen). If the AP's IP address is congured statically, the IP address of the gateway router that the AP will use. If the AP's IP address is congured statically, the net mask that is statically congured for the AP. 802.1x EAP-TLS authentication conguration 802.1x PEAP authentication conguration MTU Interface (enabled or disabled) MTU Tunnel value The list of IP addresses that the AP is congured to try to connect to in the event that the current connection to the controller is lost. MAC address of the IoT hardware. Indicates the image type for the IoT hardware. Valid values are: Bluetooth or Thread. Bluetooth is the default. Indicates the received RSSI for the beacon application. Currently xed. Valid values are: Min.-127dBm, Max. 127dBm, Default. -45dBm. The advertising interval for the beacon application. Valid values are: Min

(100ms) and Max (10240ms). The default value is Min (100ms). 11n Channel Bonding 11n Protection Mode Failure Maintn. Assn IP Address Netmask Gateway MTU Interface MTU Tunnel TLS PEAP EWC Search List IoT MAC Mode Power Interval ExtremeWireless V10.41.06 User Guide 636 Working with Reports and Statistics Table 129: AP Inventory Report Columns (continued) CColumn Name Description Major Minor Available for Export Only:

UUID Beacon Identies a subset of beacons within the larger set. This value could represent a venue specic attribute, such as a specic store or wing in a building. Valid values are 0 to 65635. Identies an individual beacon. Used to more precisely pinpoint beacon location. This value complements the UUID and Major values to provide more granular identication of a specic location, such as a particular shelf, door-

way, or item. Valid values are 0 to 65635. Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Map coordinates. Used in conjunction with a site map. (Top left corner of the map is considered 0,0.) Location of AP XY D Channel Inspector Report Viewing the Channel Inspector Report on page 637 The Channel Inspector Report enhances Automatic Channel Selection (ACS) on the controller by providing an audit trail of selected channels and presenting a history of channel selection. The channel data generated from ACS populates the report, or you can initiate a channel scan on-demand from the user interface. The report is generated from the last channel scan. The date and time of the last channel scan appear on the report. raft Running Auto Channel Select (ACS) on page 638 Running a Background Scan on page 638 Channel Inspector Report Fields on page 638 1 2 Select Channel Inspector. To view the Channel Inspector Report:

From the top menu, click Reports. Viewing the Channel Inspector Report Related Links 3 Select Radio 1 tab or Radio 2 tab to see details for the different radios. ExtremeWireless V10.41.06 User Guide 637 Working with Reports and Statistics Running Auto Channel Select (ACS) ACS provides an easy way to optimize channel arrangement based on the current situation in the eld. An optimal solution is provided only if ACS is triggered on all APs in a deployment, or all APs placed in a distinct area like a oor. ACS forces the channel width selection of the involved APs to Auto width. The ACS algorithm selects the optimal channel width for all the selected APs and places each AP on the best channel available in its area. Use the Channel Inspector Report to visualize why the AP was placed on the selected channel. To initiate ACS from the Channel Inspector Report, click Auto Channel Select. To verify channel assignment without making changes, see Running a Background Scan on page 638. RRelated Links Channel Inspector Report Fields on page 638 Dynamic Radio Management (DRM) on page 174 D Running a Background Scan From the Channel Inspector Report, click On-Demand Background Scan. The background scan does not change channel assignments, it simply provides details about the current assignments. Run background scan on each radio separately. To change channel assignments, you must run ACS. Background scan extends the usefulness of the Automatic Channel Scan (ACS) feature. It is a reporting tool that helps you verify and understand channel assignments. Where ACS will disrupt service and result in a persistent channel assignment, the on-demand background scan runs without disrupting service. To verify channel assignments and review channel details without having to run a full ACS, run an on-demand background scan. raft Indicates the operating channel of the AP. This is not necessarily the highest ranked channel. For best performance, you want the highest ranked channel to be the operating channel. Table 130: Channel Inspector Report Field Channel Inspector Report Fields on page 638 Description Channel Inspector Report Fields Related Links Operating Channel Last Scan Refresh Auto Channel Select Date and time of the last background scan. Auto refresh ensures that the most recent scan data is presented. Enable or disable auto refresh at the top of the report. 30 seconds is the default auto refresh value. If auto refresh is disabled, click the Refresh button to manually refresh the display. Initiates Auto Channel Selection (ACS). ACS will disrupt service and result in a persistent channel assignment. Use this option to reassign the channels. The ACS scan will disrupt network activity. ExtremeWireless V10.41.06 User Guide 638 Working with Reports and Statistics Table 130: Channel Inspector Report (continued) FField Description On-Demand Background Scan Ranking Frequency Noise The background scan does not change channel assignments, it simply provides details about the current assignments. Run background scan on each radio separately. To change channel assignments, you must run ACS. Indicates the best operating channel based on a 5-star ranking. This ranking is relative to the channels that are available. Radio Frequency channels with the beacon channel (primary) denoted with brackets. The following is an 80MHz channel example showing

[5220] as the beacon channel. 44: (5180 5200 [5220] 5240). Channel noise measured in Decibel-milliwatts (dBm). Channel Details Interference Type D Adjacent. APs on adjacent channels are close enough to interfere, Overlapping. Applicable for 40MGz and 80MGz channels only. The but not close enough to know they are interfering. They do not have the benet of DCF. Click the details link to display the following channel details:

Describes the channel interference in relation to the operating channel. Possible values are:

Co-Channel. All the APs on the same channel as the target AP are competing. Using Distributed Control Function (DCF) collisions are avoided because the APs know to avoid each other; however, the more traffic on the channel the greater the chance of collisions. Throughput slows but all packets get through. raft 20MGz channel is designated as the primary and the other channels are designated as extension channels (secondary). If the primary channel of one AP is the same as the extension channel of another AP it is considered overlapping. Overlapping is the worst type of interference. Radio Frequency channels with the beacon channel (primary) denoted with brackets. The following is an 80MHz channel example showing

[5220] as the beacon channel. 44: (5180 5200 [5220] 5240). Example Notation, Co-Channel 20 44: (5220) indicates that there is co-channel interference on the beacon channel 5220. Basic Service Set Identier. Identies the AP. Service Set Identier. Identies the network. Received signal strength value. Name of the AP provided at network setup. Frequency RSS BSSID SSID AP Name AP Performance by Radio Report 1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 639 Working with Reports and Statistics 2 Click the AP Performance by Radio display option. The AAP Performance by Radio display opens in a new browser window. D AP Performance by SSID and Radio Report 1 From the top menu, click Reports. raft ExtremeWireless V10.41.06 User Guide 640 Working with Reports and Statistics 2 Click the AP Performance by SSID and Radio display option. The AAP Performance by SSID and Radio display opens in a new browser window. D AP Accessibility Report 1 From the top menu, click Reports. The AAvailable AP Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 641 Working with Reports and Statistics 2 Click the AP Accessibility Report display option. The AAP Accessibility Report display opens in a new browser window. D raft By VNS Displays a list of congured VNS. Select a VNS to view a list of connected clients. Each report displays the number of connected users, broken down into a count of active users, authenticated users, and non-authenticated users. All Active Clients Displays a list of all active clients. ExtremeWireless offers reports to view data related to the network clients. View reports in any of the following ways:

By AP Displays a list of available APs in the left pane. Select an AP to view a list of connected clients. Available Client Reports Related Links Viewing All Clients on page 642 Displaying Client Details on page 643 Client Search Facility on page 645 Viewing Client MAC and OUI on page 646 Viewing All Clients View a list of all clients and take action on one or more clients in the list. You can also export the list of clients to an XML le. ExtremeWireless V10.41.06 User Guide 642 Working with Reports and Statistics 1 From the top menu, click Reports > Clients > All Active Clients. Figure 203: All Active Client Report raft NNote Clients supporting 802.11W Protected Management Frame (PMF) display a W in the client Protocol eld. buttons:

Add to Blacklist. Add the selected wireless device's MAC address to a blacklist of wireless clients that will not be allowed to associate with the AP. 3 To take action on one or more clients, select the check box for the client and click one of the action 2 Use the Search facility to nd a specic client. For more information, see Client Search Facility on page 645. Disassociate. Cut the connection with a particular wireless device. Show OUI. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. Export. Export selected clients to an XML le. System prompts you to open or save the XML le. 4 To view client details, click the client row (not the check box). For more information, see Displaying Client Details on page 643. Displaying Client Details Display client details to determine client activity and usage of network resources. From the All Client report, you can display the following information for each client:

ExtremeWireless V10.41.06 User Guide 643 Working with Reports and Statistics IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. 1 Go to Reports > Clients. The All Clients report appears. 2 Click on a client row (not the check box). The DDetailed Information dialog for the client appears. D Figure 204: Client Detailed Information ExtremeWireless V10.41.06 User Guide 644 Working with Reports and Statistics raftFigure 205: Camera as a Client On the AAll Active Clients report, search for any part of the client string. When viewing the CClients by AP report or the CClients by VNS report, search the client report for a specic client by one of the following criteria:

user name MAC Address IP Address OUI (Organizationally Unique Identier) Application Visibility and Device ID on page 621 AP3916ic (Integrated Camera) on page 104 RRelated Links Client Search Facility Results:

Clients that match the search criteria appear. Select one or more clients and apply actions to selected clients. ExtremeWireless V10.41.06 User Guide 645 Working with Reports and Statistics VViewing Client MAC and OUI Take the following steps to view the MAC address and OUI for selected clients. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. From the top menu, click Reports > Clients. 1 2 Select the check box next to a client row and click Show OUI. The CClient MAC and OOUI Full Name for the selected client display. D Figure 206: Show OUI dialog Viewing Role Filter Statistics From the top menu, click Reports. 1 2 In the left pane, click Filter Statistics. The AAvailable Filter Statistics Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 646 Working with Reports and Statistics 3 Under Available Filter Statistics Reports, click Role Filter Statistics. The RRole Filter Statistics display opens in a new browser window. D 4 Under Available Filter Statistics Reports, click Topology Filter Statistics. The Topology Filter disappears as soon as it times out. Statistics display opens in a new browser window. Statistics are expressed in respect to the AP. Therefore, Packets Allowed indicates the packets the AP has received from a client and Packets Denied indicates the packets the AP has rejected. A client is displayed as soon as the client connects (or after a refresh of the screen). The client raft Statistics are expressed in respect to the AP. Therefore, Packets Allowed indicates the packets the AP has received from a client and Packets Denied indicates the packets the AP has rejected. A client is displayed as soon as the client connects (or after a refresh of the screen). The client disappears as soon as it times out. ExtremeWireless V10.41.06 User Guide 647 Working with Reports and Statistics Viewing Topology Reports Topology Statistics Displays statistics for total sent and received packets, octects, multicast packets, and broadcast packets. Wired Topology Statistics Displays statistics for each topology including total packets sent and received. EWC Port Statistics Displays port statistics for active Topologies including current status and totals for frames, octects, multicast frames and broadcast frames sent and received. DHCP Leases Displays statistics to help determine if you have sufficient DHCP addresses for your needs and whether the lease times are too long. From the top menu, click Reports. 1 2 In the left pane, click Topology. The AAvailable Topology Reports screen displays. D raft 3 Under Available Topology Reports, click Topology Statistics. The TTopology Statistics display opens in a new browser window. ExtremeWireless V10.41.06 User Guide 648 Working with Reports and Statistics 4 Under Available Topology Reports, click Wired Topology Statistics. The WWired Topology Statistics display opens in a new browser window. D 5 Under Available Topology Reports, click EWC Port Statistics. The PPort Statistics display opens in a new browser window. raft Statistics are expressed in respect to the AP. Therefore, Frames Sent indicates packets sent to the AP from a client and Frames Received indicates the packets received from the AP. ExtremeWireless V10.41.06 User Guide 649 Working with Reports and Statistics 6 Under Available Topology Reports, click DHCP Leases. The DDHCP Leases display opens in a new browser window. D Abandoned leases should rarely be seen. The presence of one or more abandoned leases indicates that another DHCP server may be operating on the same subnet, resulting in IP address conicts. The server abandons the use of any address it thinks is being managed by another DHCP server. The report applies only to the DHCP server hosted on the local controller. The report is empty if DHCP is not enabled on any of the controllers topologies. Otherwise, for each of the controllers topologies the report provides a summary table of the address range, number of excluded address and total addresses available, a pie chart showing the proportion of addresses that are free, in use or abandoned, and a graph that shows how many leases will become available at different times assuming that no more leases are handed out by the server from this instant. raft The lease expiry graph indicates the proportion of available leases that will be available now, 1, 4 hours, 1 day, 1 week 50 and 90 days from now assuming that the server never hands out another lease. If the network serves a relatively small number of users, who are in fact the same users day in and day out, then you should use longer lease times, meaning that this graph should not show 100%

address availability until farther to the right in the graph. If you have a high turn over of users (like in a university classroom that has a different set of people every 1 hour) then you should use shorter lease times (achieve 100% availability more towards the left in the graph). If you nd that you are running out of addresses, you should use the line graph to decide if you can afford to shorten lease times to make leases available sooner as opposed to creating a new, bigger subnet to handle more users concurrently. Viewing Mobility Reports The Mobility Domain is a virtual combination of Wireless LAN Controllers (WLCs) grouped for the purpose of roaming. The controller group consists of a Mobility Manager, Mobility agents, and a Backup Mobility Manager. The Mobility Domain preserves information about user sessions, allowing users to roam through the use of identity-based networking. A Mobility Domain can also provide network exibility and scalability. ExtremeWireless V10.41.06 User Guide 650 Working with Reports and Statistics When a controller has been congured as a mobility manager, additional displays appear as options in the left pane:

Primary Manager Mobility Tunnel Matrix Displays a cross-connection view of the state of inter-

controller tunnels, as well as relative loading for user distribution across the mobility domain. Client Location in Mobility Zone Displays the active wireless clients and their status. Backup Manager Mobility Tunnel Matrix Displays a cross-connection view of the state of inter-

controller tunnels, as well as relative loading for user distribution across the mobility domain. Remotable VNS Displays the active wireless clients and their status. NNote There are four possible reports available from the Available Mobility Reports page depending on the conguration of the controller. If the controller does not have mobility enabled, it will just include the Remotable VNS report. D raft To view Mobility Manager reports:

From the top menu, click Reports. 1 2 In the left pane, click Mobility. 3 Click the appropriate mobility manager report:

Client Location in Mobility Zone Backup Manager Mobility Tunnel Matrix Remotable VNS Primary Manager Mobility Tunnel Matrix The colored status indicates the following:

Green The mobility manager is in communication with an agent and the data tunnel has been successfully established. Yellow The mobility manager is in communication with an agent but the data tunnel is not yet successfully established. Red The mobility manager is not in communication with an agent and there is no data tunnel. ExtremeWireless V10.41.06 User Guide 651 Working with Reports and Statistics Client Location in Mobility Zone This report displays the active wireless clients and their status. D Figure 207: Client Location in Mobility Zone Report box. Dene the refresh rates for this display. Export this information as a .xml le. You can do the following:

Sort this display by home or foreign controller. Search for a client by MAC address, user name, or IP address, and typing the search criteria in the raft This report displays a cross-connection view of the state of inter-controller tunnels, as well as relative loading for user distribution across the mobility domain. The following report illustrates a mobility setup with three controllers:

Mobility Manager (M) (10.105.0.5) Mobility Agent/Backup Manager (BM) 10.105.0.9 Mobility Agent (10.105.0.7) In the following illustration, there is one client on the Primary Manager (M) and 0 clients on the other controllers. As the client moves through the Mobility group, the number of clients will change from 0 to 1 depending on which tunnel the client moves through. This report graphically displays the number of data tunnels, number of active mobility clients, and the number of clients on each controller. Primary/Backup Manager Mobility Tunnel Matrix Downed tunnels are represented in brown. NNo tunnels: 0 indicates that all tunnels are up. ExtremeWireless V10.41.06 User Guide 652 Working with Reports and Statistics D Figure 208: Primary/Backup Manager Mobility Tunnel Matrix This report provides the following information:

Provides connectivity matrix of mobility state. Provides a view of:

If a tunnel between controllers is reported down, it is highlighted in red. If only a control tunnel is present, it is highlighted in yellow. If data and control tunnels are fully established, it is highlighted in green. Tunnel state Tunnel Uptime Number of clients roamed (Mobility loading) Local controller loading Mobility membership list raft The Active Clients by VNS report for the controller on which the user is home (home controller) will display the known user characteristics (IP, statistics, etc.). On the foreign controller, the Clients by VNS report does not show users that have roamed from other controllers, since the users remain associated with the home controller's VNS. A controller is only removed from the mobility matrix if an administrator explicitly removes it from the by Mobility permission list. If there is a link between controllers, or the controller is down, the corresponding matrix connections are identied in red to identify the link. The Active Clients by AP report on each controller will show both the loading of local and foreign users

(users roamed from other controllers) that are taking resources on the AP. NNote Although you can set the screen refresh period less than 30 seconds, the screen will not be refreshed quicker than 30 seconds. The screen will be refreshed according to the value you set only if you set the value above 30 seconds. ExtremeWireless V10.41.06 User Guide 653 Working with Reports and Statistics Remotable VNS This report displays the active wireless clients and their status. aft Figure 209: Remotable VNS Report You can do the following:

Sort this display by home or foreign controller. Search for a client by MAC address, user name, or IP address, and typing the search criteria in the box. Dene the refresh rates for this display. Export this information as an xml le. Viewing Controller Status Information External Connection Statistics Displays connection information including security level. System Information Displays system information including memory usage and CPU and board temperatures. Manufacturing Information Displays manufacturing information including the card serial number and CPU type and frequency. ExtremeWireless V10.41.06 User Guide 6654 Working with Reports and Statistics Viewing External Connection Statistics To view external connection statistics:

From the top menu, click Reports. 1 2 In the left pane, click Controller Status. The AAvailable Controller Status Reports screen displays. 3 Click the External Connection Statistics option. The EExternal Connection Statistics display opens in a new browser window. raft ExtremeWireless V10.41.06 User Guide 655 Working with Reports and Statistics Viewing System Information To view system information:

From the top menu, click Reports. 1 2 In the left pane, click Controller Status. The AAvailable Controller Status Reports screen displays. 3 Click the System Information display option. The SSystem Information display opens in a new browser window. D raft Viewing Manufacturing Information To view manufacturing information:

1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 656 Working with Reports and Statistics 2 In the left pane, click Controller Status.. The AAvailable Controller Status Reports screen displays. 3 Click the Manufacturing Information display option. The MManufacturing Information display opens in a new browser window. D raft The following reports are available in the Extreme Networks ExtremeWireless system:

Forwarding Table Displays the dened routes, whether static or OSPF (Open Shortest Path First), OSPF Neighbor Displays the current neighbors for OSPF (routers that have interfaces to a and their current status. common network). OSPF Linkstate Displays the Link State Advertisements (LSAs) received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the routers interfaces and adjacencies. Viewing Routing Protocol Reports Viewing Forwarding Table To view the forwarding table:

1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 657 Working with Reports and Statistics 2 In the left pane, click Routing Protocols. The AAvailable Routing Protocols Reports screen displays. D 3 Click the Forwarding Table option. The FForwarding Table displays in a new browser window. raft Note If you open only automatically refreshed reports, the Web management session timer will not be updated or reset. Your session will eventually time out. ExtremeWireless V10.41.06 User Guide 658 Working with Reports and Statistics Viewing OSPF Neighbor Table To view the OSPF neighbor table:

From the top menu, click Reports. 1 2 In the left pane, click Routing Protocols. 3 Click the OSPF Neighbor option. The OOSPF Neighbor displays in a new browser window. D raft Viewing OSPF Linkstate Table To view the OSPF Linkstate table:

1 From the top menu, click Reports. The AAvailable AP Reports screen displays. 2 In the left pane, click Routing Protocols. ExtremeWireless V10.41.06 User Guide 659 Working with Reports and Statistics 3 Click the OSPF Linkstate option. The OOSPF Linkstate displays in a new browser window. D raft Note If your default XML viewer is Internet Explorer or Netscape, clicking Open will open the exported data to your display screen. You must right-click to go back to the export display. The XML data le will not be saved to your local drive. Saving Report In XML To export and save a report in xml:

1 On the report screen, click Export. A Windows FFile Download dialog is displayed. 2 Click Save. A Windows SSave As dialog is displayed. 3 Browse to the location where you want to save the exported XML data le, and in the File name box enter an appropriate name for the le. 4 Click Save. The XML data le is saved in the specied location. Viewing RADIUS Reports The following RADIUS reports are available in the Extreme Networks ExtremeWireless system:

RADIUS Statistics by VNS Displays a list of VNS along with the number of Requests and their status (Failed or Rejected). ExtremeWireless V10.41.06 User Guide 660 Working with Reports and Statistics Access-Reject Reply-Message Displays the current list of messages along with an active count of all messages. From the top menu, click Reports. 1 2 In the left pane, click RADIUS. The AAvailable RADIUS Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 661 Working with Reports and Statistics 3 Click RADIUS Statistics by VNS option. The report displays in a new browser window. D 4 To view the Access-Reject Messages, in the left pane, click Access-Reject Messages option. raft ExtremeWireless V10.41.06 User Guide 6662 Working with Reports and Statistics 5 Click Save. A SSave As dialog is displayed. Call Detail Records (CDRs) You can congure the wireless controller to generate Call Detail Records (CDRs), which contain usage information about each wireless session per VNS. For more information on how to congure the controller to generate CDRs, refer to Dening Accounting Methods for a WLAN Service on page 336. CDRs are located in a CDR directory on the controller. To access the CDR le, you must rst back up the le on the local drive, and then upload it to a remote server. After the CDR le is uploaded to a remote server, you can work with the le to view CDRs or import the records to a reporting tool. You can back up and upload the le on the remote server either via the Wireless Assistant (GUI) or CLI. CDR File Naming Convention D CDRs are written to a le on the controller. The lename is based on the creation time of the CDR le with the following format: YYYYMMDDhhmmss.<ext>

YYYY Four digit year MM Two digit month, padded with a leading zero if the month number is less than 10 DD Two digit day of the month, padded with a leading zero if the day number is less than 10 hh Two digit hour, padded with a leading zero if the hour number is less than 10 mm Two digit minute, padded with a leading zero if the minute number is less than 10 ss Two digit second, padded with a leading zero if the second number is less than 10

<ext> File extension, either .work or .dat raft renamed with the .dat extension when it attains its maximum size (16 MB) or it has been open for the maximum allowed duration (12 hours). You can back up and copy the .work le from the controller to a remote server. Two types of CDR les exist in the CDR directory on the controller:

.work The active le that is being updated by the accounting system. The le is closed and

.dat The inactive le that contains the archived account records. You can back up and copy the .dat le from the controller to a remote server. CDR File Types Note The CDR directory on the controller only has two les a .work le and a .dat le. When the .work le attains its maximum size of 16 MB, or it has been open for 12 hours, it is saved as a .dat le. This new .dat le overwrites the existing .dat le. If you want to copy the existing .dat le, you must do so before it is overwritten by the new .dat le. ExtremeWireless V10.41.06 User Guide 663 Working with Reports and Statistics CDR File Format A CDR le contains a sequence of CDR records. The le is a standard ASCII text le. Records are separated by a sequence of dashes followed by a line break. The individual elds of a record are reported one per line, in "eld=value" format. The following table describes the records that are displayed in a CDR le. NNote Most of the CDR records are typical RADIUS server attributes. For more information, refer to the user manual of your RADIUS server. Table 131: CDR Records and Their Description CDR Records Description User-Name Acct-Session-ID D Acct-Interim-Interval A unique CDR ID Filter-ID The name of the user, who was authenticated. The name of the lter list for the user. The number of seconds between interim accounting updates. Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). The maximum number of seconds of service to be provided to the user before termination of the session. This eld is copied from the access-accept message sent by the RADIUS server during authentication. raft Indicates how the user was authenticated, whether by RADIUS (AAA), Local (Internal CP) or Remote (External CP). The eld displays one of the following values:

1 AAA authentication 2 Internal CP authentication 3 External CP authentication Indicates how many seconds the client tried to authenticate send this record for, and can be subtracted from the time of arrival on the server to nd the approximate time of the event generating this Accounting-

Request. Indicates the address to be congured for the user This eld is sent from the NAS to indicate the nature of the users connection 802.11b for Radio b/g or 802.11a for radio a. Indicates RADIUS NAS Port Type is Wireless 802.11 The Wireless APs MAC address. The clients MAC address. Session-Timeout Class Acct-Status-Type Acct-Delay-Time Acct-Authentic Framed-IP-Address Connect-Info NAS-Port-Type Called-Station-ID Calling-Station-ID Extreme Networks-AP-Serial The APs serial number. Extreme Networks-AP-Name The APs name. Extreme Networks-VNS-Name The VNS name on which the session took place. Extreme Networks-SSID The SSID name on which the session took place. ExtremeWireless V10.41.06 User Guide 664 Working with Reports and Statistics Table 131: CDR Records and Their Description (continued) CCDR Records Description Acct-Session-Time Acct-Output-Packets Acct-Input-Packets Acct-Output-Octets Acct-Input-Octets The number of seconds the user has received the service. The number of packets that were sent to the port in the course of delivering this service to a framed user. The number of packets that have been received from the port over the course of this service being provided to a Framed User. The number of octets that were sent to the port in the course of delivering the service. The number of octets that were received from the port over the course of the service. Acct-Terminate-Cause D Indicates the time at which the client was authenticated. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:50:24 Indicates how the session was terminated. The eld displays one of the following values:

1 User Request 4 Idle Timeout 5 Session Timeout 6 Admin Reset 11 NAS Reboot 16 Callback 17 User Error raft Indicates the time at which the client was disassociated from the AP. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:57:20. The following is a high-level overview of how to view CDRs:

1 Back up the CDR les on the local drive of the controller. 2 Copy the CDR les from the controller to the remote server. 3 Unzip the le. 4 Download the CDR les from the remote server to view CDRs. Authenticated_time Disassociation_time Viewing CDRs Note You cannot access the CDR les directly from the CDR directory. When you back up CDRs, both the .work and .dat les are zipped into a single .zip le. This .zip le is uploaded on the remote server. You can unzip this le from the remote server to extract the .work and .dat les. You can back up and upload the les on the remote server either via the Wireless Assistant (GUI) or CLI. This section describes how to back up and copy the CDR les to a remote server via the Wireless Assistant (GUI). For more information on how to copy the CDR le to the remote server via CLI, refer to the Extreme Networks ExtremeWireless CLI Reference Guide. ExtremeWireless V10.41.06 User Guide 665 Working with Reports and Statistics Backing Up and Copying CDR Files to a Remote Server To back up and copy the CDR les to a remote server:

From the top menu, click Controller. 1 2 In the left pane, click Administration > Software Maintenance. 3 Click the BBackup tab. t ExtremeWireless V10.41.06 User Guide 666 Working with Reports and Statistics 4 From the Select what to backup drop-down menu, click CDRs only, and then click Backup Now. The following window displays the backup status. D 5 To close the window, click Close. The backed up le is displayed in the AAvailable Backups box. 6 To upload a backup to a Remote, in the Copy Selected Backup > to section, select Remote, then do Note The .work and .dat les are zipped into a single le. the following:

Protocol Select the le transfer protocol you want to use to upload the backup le, SCP or FTP. Server Type the IP address of the server where the backup will be stored. raft Note The Server Address eld supports both IPv4 and IPv6 addresses. User ID Type the user ID to log in to the server. Password The password to log in to the server. Conrm The password to conrm the password. Directory The directory in which you want to upload the CDR le. Filename Select the zipped CDR le name. 7 To upload a backup to Flash, in the Copy Selected Backup > to section, select Flash, then do the following:

Filename Select the zipped CDR le name. 8 In the CCopy Selected Backup to section, click Copy. The .zip le is uploaded on to the server. 9 Unzip the le. The two CDR les .work and .dat are visible on the server. ExtremeWireless V10.41.06 User Guide 667 Working with Reports and Statistics 10 To view CDRs, download the les. D Figure 210: Sample .dat File raft ExtremeWireless V10.41.06 User Guide 6668 19 Performing System Administration PPerforming Wireless AP Client Management Dening Wireless Assistant Administrators and Login Groups Performing Wireless AP Client Management Related Links Maintenance Guide. Backup and restore the controller database. For more information, see the ExtremeWireless D There are times when for business, service, or security reasons you want to cut the connection with a particular wireless device. You can view all the associated wireless devices, by MAC address, on a selected AP and do the following:

Disassociate a selected wireless device from its AP. Take this action from the All Clients Report. See Viewing All Clients on page 642. Add a selected wireless device's MAC address to a blacklist of wireless clients that will not be allowed to associate with the AP. For more information, see Adding Clients to a Blacklist on page 669. raft Viewing All Clients on page 642 Adding Clients to a Blacklist on page 669 To create a client blacklist:

1 Go to AP. Adding Clients to a Blacklist ExtremeWireless V10.41.06 User Guide 669 Performing System Administration 2 In the left pane, click Global > Whitelist/Blacklist. 3 Do one of the following:

D Type the client MAC Address or OUI Prex and click Add. Click Select OUI/IABs, and search for a client OUI/IAB by company name. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. (Search by company name.) Individual Address Block (IAB) is a block of identiers that uniquely identify the assignee of the IAB. The purpose of the IAB is to allow organizations to purchase smaller blocks of identiers. raft Figure 211: Searching OUI/IAB by Company Name ExtremeWireless V10.41.06 User Guide 6670 Performing System Administration 4 Select one or more items to add to the blacklist and click OK. aft 5 To remove clients from the list, select one or more clients on the list and click Remove Selected. Figure 212: Example List RRelated Links Viewing Client MAC and OUI on page 646 Viewing All Clients on page 642 Managing an IoT Whitelist Create a whitelist of approved nodes for the Thread Network. The IoT whitelist applies to all APs that are congured for Thread Gateway associated with the controller. ExtremeWireless V10.41.06 User Guide 671 Performing System Administration If your whitelist is empty, all sensors with the default password THREAD have access to the Thread Network. Once you congure at least one node on the whitelist, network access is limited to only nodes congured on the whitelist. NNote Once a whitelist is congured, only nodes congured on the whitelist gain access to the Thread Network. 1 Go to AP > Global > Whitelist - IoT. A list of approved nodes is displayed. 2 To add a node to the whitelist, click the plus sign and provide the EUI (Extended Unique Identier) and shared-password for the node. 3 To delete a node from the whitelist, select a node and click the minus sign. D raft Figure 213: Whitelist - IoT Related Links Whitelist Node Parameters on page 672 Whitelist Node Parameters Create a whitelist of approved nodes for the Thread Network. The IoT whitelist applies to all APs that are congured for Thread Gateway associated with the controller. Use the long EUI for each sensor and the pre-shared password. The short EUI is not used. Currently, the whitelist can be comprised of a maximum 32 nodes. ExtremeWireless V10.41.06 User Guide 672 Performing System Administration Table 132: Node Parameters FField Description EUI Password Extended Unique Identier for each sensor node, determined by the sensor manufacturer. Pre-shared password. Sensor passwords are created when the sensor is commissioned, outside of ExtremeWireless. The default password is THREAD. Related Links Managing an IoT Whitelist on page 671 IoT Thread Gateway on page 196 Dening Wireless Assistant Administrators and Login Groups D controller, including the GuestPortal user accounts. GuestPortal managers Users assigned to this login group can only manage GuestPortal user Read-only administrators Users assigned to this login group have read-only access rights on the controller. Full administrators can manage all aspects of the controller, including GuestPortal user accounts. accounts. Any user who logs on to the controller and is assigned to this group can only access the GuestPortal Guest Administration page of the Wireless Assistant. You can dene the login user names and passwords for administrators that have access to the Wireless Assistant. You can also assign them to a login group as full administrators, read-only administrators, or as GuestPortal managers. For each user added, you can dene and modify a user ID and password. Full administrators Users assigned to this login group have full administrator access rights on the raft Note Passwords can include the following characters: A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Password cannot include the following characters: / ` ' " : or a space. To add a controller administrator to a login group:

From the top menu, click Controller. 1 ExtremeWireless V10.41.06 User Guide 673 Performing System Administration 2 From the left pane, click Administration > Login Management. The following screen appears:

aft 3 In the Group drop-down list, click one of the following:

Full Administrator Users assigned to this login group have full administrator access rights on Full administrators can manage GuestPortal user accounts. Read-only Administrator Users assigned to this login group have read-only access rights on the controller. the controller. Read-only administrators have read access to the GuestPortal user accounts. GuestPortal Manager Users assigned to this login group can only manage GuestPortal user accounts. Any user who logs on to the controller and is assigned to this group can only access the GuestPortal Guest Administration page of the wireless assistant. For more information, see Performing System Administration on page 669. 4 In the User ID box, type the user ID for the new user. A user ID can only be used once, in only one category. 5 In the Password box, type the password for the new user. 6 In the Conrm Password, re-type the password. ExtremeWireless V10.41.06 User Guide 6674 Performing System Administration 7 Click Add User. The new user is added to the appropriate login group list. RRelated Links Modifying Admin Password on page 675 Removing Administrator on page 675 Modifying Admin Password To modify a controller administrator password:

1 Go to Controller. 2 In the left pane, click Administration > Login Management. 3 Click the user whose password you want to modify. 4 In the Password box, type the new password for the user. 5 Under Conrm Password re-type the new password. 6 To change the password, click Change Password. D Removing Administrator To remove a controller administrator:

1 Go to Controller. 2 In the left pane, click Administration > Login Management. The Login Managementtab is displayed. 3 Click the user you want to remove. 4 Click Remove user. The user is removed from the list. raft ExtremeWireless V10.41.06 User Guide 675 20 Logs, Traces, Audits and DHCP Messages EExtremeWireless Appliance Messages Working with Logs Viewing Wireless AP Traces Viewing Audit Messages Viewing the DHCP Messages Viewing the NTP Messages Viewing Software Upgrade Messages Viewing Conguration Restore/Import Messages D ExtremeWireless Appliance Messages internal monitoring of software The ExtremeWireless Appliance generates four types of messages:

Logs (including alarms) Messages that are triggered by events Traces Messages that display activity by component, for system debugging, troubleshooting, and raft Caution In order for the Debug Info option on the WWireless AP Traces screen to return trace messages, this option must be enabled while Wireless AP debug commands are running. To do so, you need to run a Wireless AP CLI command to turn on a specic Wireless AP debug. Once the CLI command is run, select the Debug Info option, and then click Retrieve Traces. For more information, see Extreme Networks ExtremeWireless CLI Reference Guide. Because Wireless AP debugging can affect the normal operation of Wireless AP service, enabling debugging is not recommended unless specic instructions are provided. Audits Messages that record administrative changes made to the system DHCP Messages that record DHCP (Dynamic Host Conguration Protocol) service events Working with Logs The log messages contain the time of event, severity, source component, and any details generated by the source component. Log messages are divided into three groups:

Controller logs Wireless AP logs Login logs ExtremeWireless V10.41.06 User Guide 676 Logs, Traces, Audits and DHCP Messages Log Severity Levels Log messages are classied at four levels of severity:

Information (the activity of normal operation) Minor (alarm) Major (alarm) Critical (alarm) The alarm messages (minor, major or critical log messages) are triggered by activities that meet certain conditions that should be known and dealt with. The following are examples of events on the wireless controller that generate an alarm message:

Reboot due to failure Software upgrade failure on the wireless controller Software upgrade failure on the wireless AP Detection of rogue access point activity without valid ID Availability conguration not identical on the primary and secondary wireless controller D If SNMP (Simple Network Management Protocol) is enabled on the wireless controller, alarm conditions will trigger a trap in SNMP (Simple Network Management Protocol). An SNMP trap is an event notication sent by the managed agent (a network device) to the management system to identify the occurrence of conditions. Note The log statements Low water mark level was reached and Incoming message dropped, because of the rate limiting mechanism indicate that there is a burst of log messages coming to the event server and the processing speed is slower than the incoming rate of log messages. These messages do not indicate that the system is impaired in any way. raft From the top menu, click Logs. To view wireless controller logs:

1 Viewing the Wireless Controller Logs ExtremeWireless V10.41.06 User Guide 677

 

 

Logs, Traces, Audits and DHCP Messages 2 Click EWC Events and the severity level. The log screen displays and the events are displayed in chronological order. raft 3 To sort the events by Timestamp, Type, or Component, click the appropriate column heading. 4 To lter the events by severity, Critical, Major, Minor, Info, and All, click the appropriate log severity. 5 To refresh the log screen, click Refresh. 6 To export the log screen, click Export. The FFile Download dialog is displayed. 7 Do one of the following:

To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the Note The component Langley is the term for the inter-process messaging infrastructure on the wireless controller. le. Click Save. Viewing Wireless Controller Station Logs To view wireless controller station logs:

1 From the top menu, click Logs. ExtremeWireless V10.41.06 User Guide 678 Logs, Traces, Audits and DHCP Messages 2 Click EEWC: Station Events. The Station Events screen displays and the events are displayed in chronological order. Note Station log generation is controlled by the Report station events on controller" check box on the wireless Controller > Logs > Logs Conguration page. aft The table is sortable on all column (ascending and descending), if you close this log window and open it again within the same GUI session, it remembers you previous column sorting option, plus it has multi-column sorting. 3 To sort by multiple columns, click the rst column, hold down the [Shift] key, and then click the next column. As many columns as you wish can be added to the sort. 4 Click on MAC addresses in Station MAC Address column to see up-to-date details about the particular station. 5 Click the Search box and enter text. The information is ltered automatically as you type and only lines which match this text in any column (on all pages) are displayed. 6 Click Refresh to refresh the log. This log doesn't refresh automatically (the same as other logs). 7 To export the Station log screen, click Export. The File Download dialog is displayed. Do one of the following:

To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the le. Click Save. ExtremeWireless V10.41.06 User Guide 679 Logs, Traces, Audits and DHCP Messages 8 Click Close to close this log window. Viewing Wireless AP Logs To view wireless AP logs:

From the top menu, click Logs. 1 2 Click AP: Logs. The WWireless AP Log screen displays and the events are displayed in chronological order. aft 3 In the Wireless AP list, click a Wireless AP to view the log events for that particular Wireless AP. 4 To sort the events by EWC time or Sev (Severity), click the appropriate column heading. 5 To lter the events by severity, Critical, Major, Minor, Information, and All, click the appropriate log severity. 6 To refresh the log screen, click Refresh. 7 To export the logs, click Export. The FFile Download dialog is displayed. 8 Do one of the following:

To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the le. Click Save. Viewing Login Logs To view administrator login logs:

ExtremeWireless V10.41.06 User Guide 680 Logs, Traces, Audits and DHCP Messages From the top menu, click Logs. 1 2 Click Login . The LLogin screen displays and the login events are displayed in chronological order. aft 3 To refresh the LLogin screen, click Refresh. Working with GuestPortal Login Logs To view GuestPortal login logs:

From the top menu, click Logs. 1 2 Click Login . The LLogin screen displays and the login events are displayed in chronological order. ExtremeWireless V10.41.06 User Guide 681 Logs, Traces, Audits and DHCP Messages 3 Click GuestPortal. The GuestPortal login events are displayed in chronological order. 4 To export the GuestPortal log information, click Export. The FFile Download dialog is displayed. 5 Do one of the following:

To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the raft 1 To generate a Tech Support le, click Logs from the top menu. The LLogs & Traces screen displays. 2 Ensure that EWC:Events is selected. le. Click Save. Working with a Tech Support File ExtremeWireless V10.41.06 User Guide 682 Logs, Traces, Audits and DHCP Messages 3 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 4 Select the parameters for the tech support le:

raft Wireless Controller Wireless AP Logs All No Stats If Wireless AP is selected, select this check box to include or exclude Wireless AP A warning message is displayed informing you that this operation may temporarily affect system performance. statistics in the tech support le. 5 Click Generate New Tech Support File. 6 Click OK to continue. The tech support le generation status is displayed. 7 When the le generation has completed, click Close. 8 To download the last generated Tech Support le, click Logs from the top menu. The LLogs & Traces screen displays. 9 Ensure that the EEWC tab is selected. 10 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 11 Click Download Last Tech Support File. The FFile Download dialog is displayed. ExtremeWireless V10.41.06 User Guide 683 Logs, Traces, Audits and DHCP Messages 12 Click Save. The SSave as window is displayed. 13 Navigate to the location you want to save the generated tech support le, and then click Save. 14 To delete a Tech Support le, click Logs from the to pmenu. The LLogs & Traces screen displays. 15 Ensure that the EEWC tab is selected. 16 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 17 Click List All Tech Support Files. 18 In the drop-down list, click the tech support le you want to delete. The tech support le is deleted. 19 Click Close. Viewing Wireless AP Traces D To view wireless AP traces:

From the top menu, click Logs. 1 2 Click AP: Traces. The WWireless AP trace screen displays. raft 3 In the Wireless AP list, click the Wireless AP whose trace messages you want to view. 4 Click Retrieve Traces. Depending on the browser, the FFile Download dialog appears. 5 Click Save and navigate to the location on your computer that you want to save the Wireless AP trace report. The le is saved as a .tar le. 6 To view the le, unpack the .tar le. Viewing Audit Messages To view Audit messages:

1 From the top menu, click Logs. ExtremeWireless V10.41.06 User Guide 684 Logs, Traces, Audits and DHCP Messages 2 Click Audit: UI . The AAudit screen displays and the events are displayed in chronological order. 3 To sort the events by Timestamp, User, Section, or Page, click the appropriate column heading. 4 To refresh the audit screen, click Refresh. 5 To export the audit screen, click Export. The FFile Download dialog is displayed. 6 Do one of the following:

raft To open the audit le, click Open. To save the audit le, click Save, and then navigate to the directory location you want to save the To view DHCP messages:

le. Click Save. Viewing the DHCP Messages 1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 685 Logs, Traces, Audits and DHCP Messages 2 Click Service: DHCP. The DDHCP Message screen displays and the events are displayed in chronological order. aft 3 To sort the events by timestamp, click Timestamp. 4 To refresh the DHCP message screen, click Refresh. Viewing the NTP Messages To view NTP messages:

1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 686 Logs, Traces, Audits and DHCP Messages 2 Click SService: NTP. The NNTP Message screen displays and the events are displayed in chronological order. aft 3 To sort the events by timestamp, click Timestamp. 4 To refresh the NTP message screen, click Refresh. Viewing Software Upgrade Messages The SS/W Upgrade tab displays the most recent upgrade actions, either success or failure, and the operating system patch history. Some examples of the upgrade actions that can be displayed are:

FTP failure during backup of system image Conguration reset failure Conguration export failure Conguration import details To view software upgrade messages:

1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 687 Logs, Traces, Audits and DHCP Messages 2 Click the SS/W Upgrade tab. The SS/W Upgrade message screen displays. ft 3 Do the following:

To view software upgrade messages, click Detail. To view the operating system history, click History. 4 To refresh the screen, click Refresh. 5 To export the software upgrade messages or operating system history, click Export. The FFile Download dialog is displayed. 6 Do one of the following:

To open the le, click Open. To save the le, click Save, and then navigate to the directory location you want to save the le. Click Save. ExtremeWireless V10.41.06 User Guide 688 Logs, Traces, Audits and DHCP Messages Viewing Conguration Restore/Import Messages The RRestore/Import tab displays the most recent conguration restore/import results. To view Restore/Import messages:

From the top menu, click Logs. The LLogs & Traces screen displays. 1 2 Click the RRestore/Import tab. The restore/import message screen displays. D 3 To refresh the restore/import message screen, click Refresh. 4 To export the restore/import message screen, click Export. The FFile Download dialog is displayed. 5 Do one of the following:

To open the le, click Open. To save the le, click Save, and then navigate to the directory location you want to save the le. raft Click Save. ExtremeWireless V10.41.06 User Guide 689 21 Working with GuestPortal Administration AAbout GuestPortals Adding New Guest Accounts Enabling or Disabling Guest Accounts Editing Guest Accounts Removing Guest Accounts Importing and Exporting a Guest File Viewing and Printing a GuestPortal Account Ticket Working with the Guest Portal Ticket Page Conguring Guest Password Patterns Conguring Web Session Timeouts D About GuestPortals A GuestPortal provides wireless device users with temporary guest network services. A GuestPortal is serviced by a GuestPortal-dedicated VNS. The GuestPortal-dedicated VNS is congured by an administrator with full administrator access rights. For more information, see Creating a GuestPortal VNS on page 477. raft A GuestPortal administrator is assigned to the GuestPortal Manager login group and can only create and manage guest user accounts a GuestPortal administrator cannot access any other area of the Wireless Assistant. For more information, see Dening Wireless Assistant Administrators and Login Groups on page 673. From the GuestPortal Guest Administration page of the Wireless Assistant, you can add, edit, congure, and import and export guest accounts. To add a new guest account:

Adding New Guest Accounts ExtremeWireless V10.41.06 User Guide 690 Working with GuestPortal Administration 1 Do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WLAN Services pane, click the dedicated WLAN (Wireless Local Area Network) Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the Auth & Acct tab. Make sure the Mode is set to Guest Splash and then click Congure. The Conguration page displays. In the Guest Splash section, click Manage Guest Users. The Guest Splash Administration screen displays. D DDNote You have three minutes to add new guest user accounts. If that time expires, close the Guest Splash Administration screen and click Manage Guest Users again. You can also increase the Start date time to be within three minutes of the current network time. raft ExtremeWireless V10.41.06 User Guide 691 Working with GuestPortal Administration 2 In the Account Management section, click Add Guest Account. The AAdd Guest User screen displays. D 3 To enable the new guest account, select the Enabled check box. For more information, see Enabling or Disabling Guest Accounts on page 693. 4 In the Credentials section, do the following:

User Name Type a user name for the person who will use this guest account. User ID Type a user ID for the person who will use this guest account. The default user ID can raft Start date Specify the start date and time for the new guest account. Account lifetime Specify the account lifetime, in days, for the new guest account. The default 0 value species no limit to the account lifetime. Only a user with administrative privileges can change the value of the Account lifetime. Toggle between Mask/Unmask to hide or see the password. Description Type a brief description for the new guest account. 5 In the Account Settings section, do the following:

Password Type a password for the person who will use this guest account. The default be edited. password can be edited. 6 In the Session Settings section, do the following:

Session lifetime Specify a session lifetime, in hours, for the new guest account. The default 0 value species no limit to the session lifetime. The session lifetime is the allowed cumulative total in hours spent on the network during the account lifetime. Start Time Specify a start time for the session for the new guest account. End Time Specify an end time for the session for the new guest account. 7 To save your changes, click OK. ExtremeWireless V10.41.06 User Guide 692 Working with GuestPortal Administration Enabling or Disabling Guest Accounts A guest account must be enabled in order for a wireless device user to use the guest account to obtain guest network services. When a guest account is disabled, it remains in the database. A disabled guest account cannot provide access to the network. To enable or disable guest accounts:

1 Do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. D Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. The Guest Splash Administration screen displays. In the Guest Splash section, click Manage Guest Users. raft 2 In the guest account list, select the check box next to the user name of the guest account that you want to enable or disable. 3 In the Account Enable/Disable section, click Enable Selected Accounts or Disable Selected Accounts accordingly. A dialog is displayed requesting you to conrm your selection. 4 Click Ok. A conrmation message is displayed in the GGuest Splash Administration screen footer. Editing Guest Accounts An already existing guest account can be edited. ExtremeWireless V10.41.06 User Guide 693 Working with GuestPortal Administration To edit a guest account:

1 Do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. The GGuest Splash Administration screen displays. In the Guest Splash section, click Manage Guest Users. D raft 2 In the guest account list, select the check box next to the user name of the guest account that you want to edit. 3 In the Account Management section, click Edit Selected Accounts. 4 Edit the guest account accordingly. For more information on guest account properties, see Adding New Guest Accounts on page 690. 5 To save your changes, click OK. A conrmation message is displayed in the GGuest Splash Administration screen footer. Removing Guest Accounts An already existing guest account can be removed from the database. ExtremeWireless V10.41.06 User Guide 694 Working with GuestPortal Administration 1 To remove a guest account, do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the GGuest Splash section, click Manage Guest Users. The GGuest Splash Administration screen displays. D raft 3 In the AAccount Management section, click Remove Selected Accounts. A dialog is displayed requesting you to conrm your removal. want to remove. 4 Click OK. 2 In the guest account list, select the check box next to the user name of the guest account that you A conrmation message is displayed in the GGuest Splash Administration screen footer. Importing and Exporting a Guest File To help administrators manage large numbers of guest accounts, you can import and export .csv

(comma separated value) guest les for the controller. The following describes the column values of the .csv guest le. ExtremeWireless V10.41.06 User Guide 695 Working with GuestPortal Administration Table 133: Guest Account Import and Export .csv File Values CColumn Value A B C D E F G User ID User name Password Description Account activation date Account lifetime, measured in days Session lifetime, measured in hours Is the account enabled (1) or disabled (0) H L I J Time of day, start time D Time of day, duration K Is the guest user account synchronized on a secondary controller in an availability pair, yes (1) no (0) Total session used time, measured in seconds. A user session starts when the guest user is authenticated, and ends when the guest user is disassociated. raft ExtremeWireless V10.41.06 User Guide 696 Working with GuestPortal Administration 1 To export a guest le, do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the Guest Splash section, click Manage Guest Users. The GGuest Splash Administration screen displays. D raft 2 In the File Management section, click Export Guest File. A FFile Download dialog is displayed. 3 Click Save. The SSave As dialog is displayed. 4 Name the guest le, and then navigate to the location where you want to save the le. By default, the exported guest le is named exportguest.csv. 5 Click Save. The FFile Download dialog is displayed as the le is exported. 6 Click Close. A conrmation message is displayed in the GGuest Splash Administration screen footer. ExtremeWireless V10.41.06 User Guide 697 Working with GuestPortal Administration 7 To import a guest le, do one of the following:

If you have Guest Splash Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the GGuest Splash section, click Manage Guest Users. The GGuestPortal Guest Administration screen displays. D raft 8 In the File Management section, click Import Guest File. The IImport Guest File dialog is displayed. 9 Click Browse to navigate to the location of the .csv guest le that you want to import, and then click The le is imported and a conrmation message is displayed in the IImport Guest File dialog. Open. 10 Click Import. 11 Click Close. Viewing and Printing a GuestPortal Account Ticket You can view and print a GuestPortal account ticket from the GGuestPortal Guest Administration screen. A GuestPortal account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. The controller is shipped with a default template for the GuestPortal account ticket. The template is an html page that is augmented with system placeholders that display information about the user. ExtremeWireless V10.41.06 User Guide 698 Working with GuestPortal Administration You can also upload a custom GuestPortal ticket template for the controller. To upload a custom GuestPortal ticket template you need full administrator access rights on the controller. The lename of a custom GuestPortal ticket template must be .html. For more information, see Working with the Guest Portal Ticket Page on page 700. To view and print a GuestPortal account ticket:

1 Do one of the following:

If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:

From the top menu, click VNS. The Virtual Network Conguration screen displays. In the left pane, expand the WLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WLAN Services conguration window for that service displays. Click the Auth & Acct tab, and then click Congure. The SSettings screen displays. In the GuestPortal section, click Manage Guest Users. The GGuestPortal Guest Administration screen displays. D raft ExtremeWireless V10.41.06 User Guide 699 Working with GuestPortal Administration 2 In the guest account list, select the check box next to the user name whose guest account ticket you want to print a ticket, and then click Print Ticket for Selected Account. The GuestPortal ticket is displayed. D 3 Click Print. The PPrint dialog is displayed. 4 Click Print. Note The default GuestPortal ticket page uses placeholder tags. For more information, see Default GuestPortal Ticket Page on page 706. raft Note The default GuestPortal ticket page cannot be deleted. From the GuestPortal ticket page, you can activate a GuestPortal ticket page, upload a customized GuestPortal ticket page to the controller, and delete a customized GuestPortal ticket page. To work with the GuestPortal account ticket page, you need full administrator rights. You can work with the guest account ticket page from the SSettings screen. A guest account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. Working with the Guest Portal Ticket Page Related Links Working with a Custom GuestPortal Ticket Page on page 701 Activating a GuestPortal Ticket Page on page 701 Uploading a Custom GuestPortal Ticket Page on page 701 Deleting a Custom GuestPortal Ticket Page on page 701 Example Ticket Page on page 706 ExtremeWireless V10.41.06 User Guide 700 Working with GuestPortal Administration Working with a Custom GuestPortal Ticket Page A customized GuestPortal ticket page can be uploaded to the controller. When designing your customized GuestPortal ticket page, be sure to use the guest account information placeholder tags that are depicted in the default GuestPortal ticket page. For more information, see Default GuestPortal Ticket Page on page 706. Activating a GuestPortal Ticket Page To activate a GuestPortal ticket page:

Uploading a Custom GuestPortal Ticket Page From the top menu, click VNS. 1 2 In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. D 3 Click the AAuth & Acct tab, and then click Congure. The Settings screen displays. 4 In the GuestPortal section, click Congure Ticket Page. The TTicket Settings dialog is displayed. 5 In the Active Template list, click the GuestPortal ticket page you want to activate, and then click Apply. This list includes all GuestPortal ticket pages that have been uploaded to the controller. raft 1 On the TTicket Settings dialog, click Browse. The CChoose le dialog is displayed. 2 Navigate to the .html GuestPortal ticket page le that you want to upload to the controller, and then The Active Template list includes all GuestPortal ticket pages that have been uploaded to the controller. click Open. The le name is displayed in the Upload Template box. 3 Click Apply. The le is uploaded to the controller. To upload a custom GuestPortal ticket page:

To delete a custom GuestPortal ticket page:

Deleting a Custom GuestPortal Ticket Page 1 On the Ticket Settings dialog, in the Active Template list, click the GuestPortal ticket page you want to delete, and then click Delete. A dialog prompts you to conrm you want to delete the GGuestPortal ticket page. 2 To delete the le, click OK, and then click Apply. Conguring Guest Password Patterns This feature makes it easier for system administrators to create password patterns that the Wireless Assistant will use to auto generate guest passwords. You can specify a predened pattern or you can ExtremeWireless V10.41.06 User Guide 701 Working with GuestPortal Administration create a customized pattern. You must have full administrative rights to generate password patterns. Select from the following password patterns:

Completely Random Sequence Two Words Phone number Postal Code Custom Pattern The generator offers three character sets: Latin (ASCII), Cyrillic, and Greek. RRelated Links To Congure a Guest Password Pattern on page 702 To Congure a Guest Password Pattern D To generate a password pattern:

From the top menu, click VNS. The Virtual Network Conguration screen displays. 1 2 In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. 3 Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. raft ExtremeWireless V10.41.06 User Guide 702 Working with GuestPortal Administration 4 In the GuestPortal section, click Congure Password Generator. The CCongure Password Generator screen displays. To generate a custom password pattern:

aft Note You can only type characters that are represented on the keypad. Entries in the Pattern eld are editable. From the Pattern pane, select Custom. 1 2 Select the character set and minimum password length. 3 Use the keypad to enter the pattern characters or type the pattern in the Pattern eld. The Clear key on the keypad clears the full pattern. The Clear Entry key on the keypad clears the last entered character. The password pattern displays in the Pattern eld. Copy paste this pattern into the AAdd Guest User dialog. For more information, see Adding New Guest Accounts on page 690. 5 Click Close to close the dialog and save the password pattern. 6 Click Cancel to close the dialog without saving the password pattern. ExtremeWireless V10.41.06 User Guide 703 Working with GuestPortal Administration Conguring Web Session Timeouts You can congure the time period to allow web sessions to remain inactive before timing out. To congure web session timeouts:

1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. 2 In the left pane, click Administration > Web Settings The WWireless Controller Web Management Settings screen displays. D 3 In the Web Session Timeout box, type the time period to allow the web session to remain inactive before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168 hours. 4 In the GuestPortal Manager Web Session Timeout box, type the time period to allow the GuestPortal web session to remain inactive before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168 hours. raft Note Screens that auto-refresh will time-out unless a manual action takes place prior to the end of the timeout period. 5 To save your settings, click Save. ExtremeWireless V10.41.06 User Guide 704 A Regulatory Information EExtremeWireless APs 37XX , 38XX, and 39XX Warning Warnings identify essential information. Ignoring a warning can lead to problems with the application. Note For technical specications and certication information for a specic Outdoor AP refer to the appropriate AP Installation Guide. D Conguration of the ExtremeWireless AP frequencies and power output are controlled by the regional software license and proper selection of the country during initial installation and set-up. Customers are allowed to select only the proper country from their licensed regulatory domain related to that customers geographic location, performing the set-up of access points in accordance with local laws and regulations. The ExtremeWireless AP must not be operated until congured with the correct country setting or it may be in violation of the local laws and regulations. Warning Changes or modications made to the APs which are not expressly approved by Extreme Networks could void the user's authority to operate the equipment. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that must be performed only by Extreme Networks personnel are clearly identied in the respective AP guide. raft Note The APs are in compliance with the European Directive 2002/95/EC on the restriction of the use of certain hazardous substances (RoHS) in electrical and electronic equipment. For regulatory information for the ExtremeWireless AP models 37xx, 38xx, and 39XX refer to the appropriate AP Installation Guide. ExtremeWireless APs 37XX , 38XX, and 39XX ExtremeWireless V10.41.06 User Guide 705 B Default GuestPortal Ticket Page EExample Ticket Page This section provides an example ticket page with an explanation of each placeholder variable and example HTML source code. Example Ticket Page D raft Placeholders Used in the Default GuestPortal Ticket Page Table 134: Default GuestPortal Ticket Page Template Placeholders Placeholder tag Description

!GuestName

!GuestComment

!TimeOfDayStart

!TimeOfDayDuration

!SessionLifeTime

!UserID

!Password Guest Name Guest Comment Time-of-day start Time-of-day session duration Maximum session time User ID for the guest Password for the guest ExtremeWireless V10.41.06 User Guide 706 Default GuestPortal Ticket Page Table 134: Default GuestPortal Ticket Page Template Placeholders (continued) PPlaceholder tag Description

!SSID

!AccountActivationTime

!AccountLifeTime SSID to connect to Account available time Account life time Default GuestPortal Ticket Page Source Code Note The GuestPortal account information placeholders used in the html code are preceded by the ! character. D raft

<HTML>

<HEAD>

<title></title>

<meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>

</HEAD>

<body style="text-align:center">

<table cellspacing="0" cellpadding="0" border="0" align="center" width="790">

<tr>

<td style="background-color:gray;color:white;font-weight:bold;font-size:

30;padding:5px"

align="center" width="790">GuestPortal</td>

</tr>

</table>

<table cellspacing="5" cellpadding="0" border="0" style="margin:0 auto">

<tr>

<td align="right"><b>Guest Name:</b></td>

<td align="left">!GuestName</td>

</tr>

<tr>

<td align="right"><b>User ID:</b></td>

<td align="left">!UserID</td>

</tr>

<tr>

<td align="right"><b>Password:</b></td>

<td align="left">!Password</td>

</tr>

<tr>

<td align="right"><b>Account Start:</b></td>

<td align="left">!AccountActivationTime</td>

</tr>

<tr>

<td align="right"><b>Duration:</b></td>

<td align="left">!AccountLifeTime</td>

</tr>

<tr>

<td align="right"><b>Valid Daily Login Time:</b></td>

<td align="left">!TimeOfDayStart -- !TimeOfDayDuration</td>

</tr>

<tr>

<td align="right"><b>Comment:</b></td>

<td align="left">!GuestComment</td>

</tr>

</table>

<div style="width:790px;margin:0 auto;text-align:left">

ExtremeWireless V10.41.06 User Guide 707 Default GuestPortal Ticket Page

<b>System Requirements:</b>

<hr width=790 size=2 noshade>

<div style="padding-left:30px">

<ul>

<li>A laptop with WLAN capabilities (801.11a/b/g). This functionality can be either embedded into your device or via a PCMCIA card.

<li>Web browser software. You can use any standard Internet browser (ie, Internet Explorer, Netscape, etc).

</ul>

</div>

</div>

<div style="width:790px;margin:10px auto;text-align:left">

<b>Instructions:</b>

<hr width=790 size=2 noshade>

<div style="padding-left:30px;">

<ul>

<li>Enable your wireless device to connect to the '!SSID'

SSID.

<li>Once connected, launch your Internet browser and you will be redirected to the Guest Access webpage.

<li>Enter the user ID and password supplied above. By logging into the network, you are accepting the terms and conditions below.

<li>You're connected!

</ul>

</div>

</div>

</div>

</body>

</HTML>

D raft ExtremeWireless V10.41.06 User Guide 7708 Glossary AACL An Access Control List is a mechanism for ltering packets at the hardware level. Packets can be classied by characteristics such as the source or destination MAC, IP address, IP type, or QoS queue. Once classied, the packets can be forwarded, counted, queued, or dropped. ad hoc mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an AP. ARP Basic Service Set is a wireless topology consisting of one access point connected to a wired network and a set of wireless devices. Also called an infrastructure network. See also IBSS (Independent Basic Service Set). Address Resolution Protocol is part of the TCP/IP suite used to dynamically associate a device's physical address (MAC address) with its logical address (IP address). The system broadcasts an ARP request, containing the IP address, and the device with that IP address sends back its MAC address so that traffic can be transmitted. D Asynchronous Transmission Mode is a start/stop transmission in which each character is preceded by a start signal and followed by one or more stop signals. A variable time interval can exist between characters. ATM is the preferred technology for the transfer of images. raft Challenge-Handshake Authentication Protocol is one of the two main authentication protocols used to verify a user's name and password for PPP Internet connections. CHAP is more secure because it performs a three-way handshake during the initial link establishment between the home and remote machines. It can also repeat the authentication anytime after the link has been established. Chalet is a web-based user interface for setting up and viewing information about a switch, removing the need to enter common commands individually in the CLI. Command Line Interface. The CLI provides an environment to issue commands to monitor and manage switches and wireless appliances. ATM BSS Chalet CHAP CLI CoS Class of Service species the service level for the classied traffic type. Data Center Connect DCC, formerly known as DCM (Data Center Manager), is a data center fabric management and automation tool that improves the efficiency of managing a large virtual and physical network. DCC provides an integrated view of the server, storage, and networking operations, removing the need to use multiple tools and management systems. DCC automates VM assignment, allocates appropriate ExtremeWireless V10.41.06 User Guide 709 Glossary network resources, and applies individual policies to various data objects in the switching fabric

(reducing VM sprawl). Learn more about DCC at http://www.extremenetworks.com/product/data-

center-connect/. DDHCP Dynamic Host Conguration Protocol allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network. DHCP sends a new IP address when a computer is plugged into a different place in the network. The protocol supports static or dynamic IP addresses and can dynamically recongure networks in which there are more computers than there are available IP addresses. DoS attack DSSS Denial of Service attacks occur when a critical network or computing resource is overwhelmed so that legitimate requests for service cannot succeed. In its simplest form, a DoS attack is indistinguishable from normal heavy traffic. ExtremeXOS software has congurable parameters that allow you to defeat DoS attacks. D Direct-Sequence Spread Spectrum is a transmission technology used in Local Area Wireless Network

(LAWN) transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or chipping code, that divides the user data according to a spreading ratio. The chipping code is a redundant bit pattern for each bit that is transmitted, which increases the signal's resistance to interference. If one or more bits in the pattern are damaged during transmission, the original data can be recovered due to the redundancy of the transmission. (Compare with FHSS (Frequency-Hopping Spread Spectrum).) raft IEEE 802.1x species how EAP should be encapsulated in LAN frames. In wireless communications using EAP, a user requests connection to a WLAN through an access point, which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS The server asks the access point for proof of identity, which the access point gets from the user and then sends back to the server to complete the authentication. EAP-TLS Extensible Authentication Protocol - Transport Layer Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-

time passwords, certicates, public key authentication and smart cards. EAP-TLS provides for certicate-based and mutual authentication of the client and the network. It relies on client-side and server-side certicates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys. EAP-TLS/EAP-TTLS EAP-TTLS (Tunneled Transport Layer Security) is an extension of EAP-TLS to provide certicate-based, mutual authentication of the client and network through an encrypted tunnel, as well as to generate dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certicates.

(See also PEAP (Protected Extensible Authentication Protocol).) ESRP Extreme Standby Router Protocol is an Extreme Networks-proprietary protocol that provides redundant Layer 2 and routing services to users. ExtremeWireless V10.41.06 User Guide 710 Glossary EExtreme Access Control EAC, formerly NAC, featuring both physical and virtual appliances, is a pre- and post-connect solution for wired and wireless LAN and VPN users. Using Identity and Access appliances and/or Identity and Access Virtual Appliance with the XMC (Extreme Management Center) software, you can ensure only the right users have access to the right information from the right place at the right time. EAC is tightly integrated with the Intrusion Prevention System (IPS) and Security Information and Event Manager

(SIEM) to deliver best-in-class post-connect access control. Learn more about EAC at http://

www.extremenetworks.com/product/extreme-access-control/. Extreme Application Analytics Extreme Management Center EAA, formerly Purview, is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence about applications, users, locations, and devices. EAA provides data to show how applications are being used. This can be used to better understand customer behavior on the network, identify the level of user engagement, and assure business application delivery to optimize the user experience. The software also provides visibility into network and application performance allowing IT to pinpoint and resolve performance issues in the infrastructure whether they are caused by the network, application, or server. Learn more about EAA at http://www.extremenetworks.com/product/extremeanalytics/. D Extreme Management Center (Extreme Management Center), formerly Netsight, is a web-based control interface that provides centralized visibility into your network. Extreme Management Center reaches beyond ports, VLANs, and SSIDs and provides detailed control of individual users, applications, and protocols. When coupled with wireless and Identity & Access Management products, Extreme Management Center becomes the central location for monitoring and managing all the components in the infrastructure. Learn more about Extreme Management Center at http://

www.extremenetworks.com/product/management-center/. raft ExtremeCloud is a cloud-based network management Software as a Service (SaaS) tool. ExtremeCloud allows you to manage users, wired and wireless devices, and applications on corporate and guest networks. You can control the user experience with smarter edges including managing QoS, call admission control, secure access policies, rate limiting, multicast, ltering, and traffic forwarding, all from an intuitive web interface. Learn more about ExtremeCloud at http://www.extremenetworks.com/

product/extremecloud/. ExtremeSwitching is the family of products comprising different switch types: MModular (X8 and 8000 series [formerly BlackDiamond] and S and K series switches); SStackable (X-series and A, B, C, and 7100 series switches); SStandalone (SSA, X430, and D, 200, 800, and ISW series); and MMobile Backhaul (E4G). Learn more about ExtremeSwitching at http://www.extremenetworks.com/products/switching-

routing/. ExtremeSwitching ExtremeCloud ExtremeWireless ExtremeWireless products and solutions offer high-density WiFi access, connecting your organization with employees, partners, and customers everywhere they go. The family of wireless products and solutions includes APs, wireless appliances, and software. Learn more about ExtremeWireless at http://

www.extremenetworks.com/products/wireless/. ExtremeWireless V10.41.06 User Guide 711 Glossary EExtremeXOS ExtremeXOS, a modular switch operating system, is designed from the ground up to meet the needs of large cloud and private data centers, service providers, converged enterprise edge networks, and everything in between. Based on a resilient architecture and protocols, ExtremeXOS supports network virtualization and standards-based SDN capabilities like VXLAN gateway, OpenFlow, and OpenStack Cloud orchestration. ExtremeXOS also supports comprehensive role-based policy. Learn more about ExtremeXOS at http://www.extremenetworks.com/product/extremexos-network-operating-system/. FHSS Frequency-Hopping Spread Spectrum is a transmission technology used in Local Area Wireless Network (LAWN) transmissions where the data signal is modulated with a narrowband carrier signal that 'hops' in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies. This technique reduces interference. If synchronized properly, a single logical channel is maintained. (Compare with DSSS (Direct-Sequence Spread Spectrum).) D An IBSS is the 802.11 term for an ad hoc network. See ad hoc mode. IBSS ICMP Internet Control Message Protocol is the part of the TCP/IP protocol that allows generation of error messages, test packets, and operating messages. For example, the ping command allows you to send ICMP echo messages to a remote IP device to test for connectivity. ICMP also supports traceroute, which identies intermediate hops between a given source and destination. Hosts use Internet Group Management Protocol to inform local routers of their membership in multicast groups. Multicasting allows one computer on the Internet to send content to multiple other computers that have identied themselves as interested in receiving the originating computer's content. When all hosts leave a group, the router no longer forwards packets that arrive for the multicast group. raft A Link Aggregation Group is the logical high-bandwidth link that results from grouping multiple network links in link aggregation (or load sharing). You can congure static LAGs or dynamic LAGs

(using the LACP). Link Layer Discovery Protocol conforms to IEEE 802.1ab and is a neighbor discovery protocol. Each LLDP-enabled device transmits information to its neighbors, including chassis and port identication, system name and description, VLAN names, and other selected networking information. The protocol also species timing intervals in order to ensure current information is being transmitted and received. Message-Digest algorithm is a hash function that is commonly used to generate a 128-bit hash value. It was designed by Ron Rivest in 1991. MD5 is officially dened in RFC 1321 - The MD5 Message-Digest Algorithm. Message Integrity Check (or Code), also called Michael, is part of WPA and TKIP. The MIC is an additional 8-byte code inserted before the standard 4-byte ICV appended in by standard WEP to the IGMP LAG LLDP MD5 MIC ExtremeWireless V10.41.06 User Guide 712 Glossary 802.11 message. This greatly increases the difficulty in carrying out forgery attacks. Both integrity check mechanisms are calculated by the receiver and compared against the values sent by the sender in the frame. If the values match, there is assurance that the message has not been tampered with. nnetmask A netmask is a string of 0s and 1s that mask, or screen out, the network part of an IP address, so that only the host computer part of the address remains. A frequently-used netmask is 255.255.255.0, used for a Class C subnet (one with up to 255 host computers). The ".0" in the netmask allows the specic host computer address to be visible. OSPF An interior gateway routing protocol for TCP/IP networks, Open Shortest Path First uses a link state routing algorithm that calculates routes for packets based on a number of factors, including least hops, speed of transmission lines, and congestion delays. You can also congure certain cost metrics for the algorithm. This protocol is more efficient and scalable than vector-distance routing protocols. OSPF features include least-cost routing, ECMP routing, and load balancing. Although OSPF requires CPU power and memory space, it results in smaller, less frequent router table updates throughout the network. This protocol is more efficient and scalable than vector-distance routing protocols. D Protected Extensible Authentication Protocol is an IETF draft standard to authenticate wireless LAN clients without requiring them to have certicates. In PEAP authentication, rst the user authenticates the authentication server, then the authentication server authenticates the user. If the rst phase is successful, the user is then authenticated over the SSL tunnel created in phase one using EAP-Generic Token Card (EAP-GTC) or Microsoft Challenged Handshake Protocol Version 2 (MSCHAP V2). (See also EAP-TLS/EAP-TTLS.) raft Simple Network Management Protocol is a standard that uses a common software agent to remotely monitor and set network conguration and runtime parameters. SNMP operates in a multivendor environment, and the agent uses MIBs, which dene what information is available from any manageable network device. You can also set traps using SNMP, which send notications of network events to the system log. The Power over Ethernet standard (IEEE 802.3af) denes how power can be provided to network devices over existing Ethernet connections, eliminating the need for additional external power supplies. PEAP PoE SNMP SSL Secure Socket Layer is a protocol for transmitting private documents using the Internet. SSL works by using a public key to encrypt data that is transferred over the SSL connection. SSL uses the public-and-

private key encryption system, which includes the use of a digital certicate. SSL is used for other applications than SSH, for example, OpenFlow. syslog A protocol used for the transmission of event notication messages across networks, originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, and now embedded in many other operating systems and networked devices. A ExtremeWireless V10.41.06 User Guide 713 Glossary device generates a messages, a relay receives and forwards the messages, and a collector (a syslog server) receives the messages without relaying them. syslog uses the UDP as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514. (RFC 3164) VVLAN The term VLAN is used to refer to a collection of devices that communicate as if they are on the same physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are not restricted by the hardware that physically connects them. The segments are dened by exible user groups you create with the CLI. WLAN Wireless Local Area Network. D raft ExtremeWireless V10.41.06 User Guide 714

 

 

Installing the ExtremeWireless AP3917i/e Access Point Overview of the AP3917i/e The AP3917 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP3917 is easy to install, lightweight, and is available in an internal

(AP3917i) and external (AP3917e) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP3917 model comes in two models:

AP3917i and AP3917e. In this document, the functionality, feature, and the procedure applies to both the models when AP3917i/e is used. Note: The AP3917i/e requires a minimum base firmware of 10.41. The AP3917i/e model has the following features:

Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet Port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:

IP67 Connectors on all ports AP3917i - 5 internal antennas (four band locked antennas and one BLE antenna). The polarization on one antenna of each radio can be configured by the installer. AP3917e- 5 external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and PC cover Figure 1 indicates AP3917i. In Figure 2, you can see AP3917e. Figure 1 Top and Side Views of AP3917i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP3917e 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Both the Radio LEDs will be Green when they are ON and the LEDs will not have any lights when they are OFF. Blue LED indicates the IoT status. For detailed installation information about the AP3917i/e, see the ExtremeWireless AP3917i/e Installation Guide. Table 1 shows ways to power the AP3917i/e. Table 1 Powering the AP3917i/e Power Source Description Power over Ethernet

(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP3917i/e Box Contents Verify the contents of the box and ensure that the following items are available:

Table 2 Contents of the AP3917i/e Box Quantity Item AP3917i/e Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:

1 1 M4 screw assembly with star washer Ring terminal Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Use these instructions as guidelines for mounting and connecting the AP3917i/e easily and safely. The AP3917i/e mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP3917i/e Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/. Mounting the AP3917i/e The installation of the AP3917i/e should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. The access point can be mounted to a wall, girder, ceiling, pole or vehicle using the appropriate bracket. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/

IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-

lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Once you tighten the torque, tighten the ground screws, and attach the LAN cable. Mounting the AP3917i/e to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner), Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:

for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:

a Use 4 M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP3917i/AP3917e Wall Mount H Bracket Mounting the AP3917i/e to a Pole Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter

<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using four M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-

clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Figure 6 AP with Mounting BracketVertical Pole Mounting the AP3917i/e to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the AP3917i/e to a wall or a pole using a 10 extension arm

(WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP3917i/e Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP3917i/e. Connecting a Power Source to the AP3917i/e If you need to power the AP3917i/e, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is connected to a power source. Refer to the ExtremeWireless AP3917i/e Installation Guide for information. LAN/Console Connections The AP3917i/e has one LAN (Ethernet) port and a Console port. Refer to Figure 1 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP3917i and 35 cm for AP3917e (FCC) and 20 cm for AP3917i and 42 cm for AP3917e (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-

approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20 cm pour AP3917i et 35cm pour AP3917e (FCC) et 20 cm pour AP3917i et 42cm pour AP3917e (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non 2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;

3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-

EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 42 cm for AP3917e between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP3917i et 42 cm pourAP3917e de distance entre la source de rayonnement et votre corps. essentiel depassant les niveaux limites definis par FCC/ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:

Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 35 cm for AP3917e between the radiator & your body. Industry Canada Notice This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et

(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :

1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;

2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:

1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;

4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment

(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):

1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. Extreme Networks Radio LAN device 1999/5/

. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/

CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWirelessTM Access Points Quick Reference P/N 31050 WS-AP3917i-FCC P/N 31051 WS-AP3917i-ROW P/N 31055 WS-AP3917e-FCC P/N 31056 WS-AP3917e-ROW Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks/

Documentation & Support For product support, including documentation, visit:

www.extremenetworks.com/support/

P/N 9035165-03

 

 

Installing the ExtremeWireless AP3917i/e Access Point Overview of the AP3917i/e The AP3917 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP3917 is easy to install, lightweight, and is available in an internal

(AP3917i) and external (AP3917e) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP3917 model comes in two models:

AP3917i and AP3917e. In this document, the functionality, feature, and the procedure applies to both the models when AP3917i/e is used. Note: The AP3917i/e requires a minimum base firmware of 10.41. The AP3917i/e model has the following features:

Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet Port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:

IP67 Connectors on all ports AP3917i - 5 internal antennas (four band locked antennas and one BLE antenna). The polarization on one antenna of each radio can be configured by the installer. AP3917e- 5 external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and PC cover Figure 1 indicates AP3917i. In Figure 2, you can see AP3917e. Figure 1 Top and Side Views of AP3917i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP3917e 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Both the Radio LEDs will be Green when they are ON and the LEDs will not have any lights when they are OFF. Blue LED indicates the IoT status. For detailed installation information about the AP3917i/e, see the ExtremeWireless AP3917i/e Installation Guide. Table 1 shows ways to power the AP3917i/e. Table 1 Powering the AP3917i/e Power Source Description Power over Ethernet

(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP3917i/e Box Contents Verify the contents of the box and ensure that the following items are available:

Table 2 Contents of the AP3917i/e Box Quantity Item AP3917i/e Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:

1 1 M4 screw assembly with star washer Ring terminal for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:

a Use 4 M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP3917i/AP3917e Wall Mount H Bracket Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Mounting the AP3917i/e to a Pole Use these instructions as guidelines for mounting and connecting the AP3917i/e easily and safely. The AP3917i/e mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP3917i/e Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/. Mounting the AP3917i/e The installation of the AP3917i/e should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. The access point can be mounted to a wall, girder, ceiling, pole or vehicle using the appropriate bracket. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/

IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-

lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Once you tighten the torque, tighten the ground screws, and attach the LAN cable. Mounting the AP3917i/e to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner), Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:

Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter

<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using four M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-

clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Figure 6 AP with Mounting BracketVertical Pole Mounting the AP3917i/e to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the AP3917i/e to a wall or a pole using a 10 extension arm

(WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP3917i/e Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP3917i/e. Connecting a Power Source to the AP3917i/e If you need to power the AP3917i/e, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is connected to a power source. Refer to the ExtremeWireless AP3917i/e Installation Guide for information. LAN/Console Connections The AP3917i/e has one LAN (Ethernet) port and a Console port. Refer to Figure 1 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP3917i and 35 cm for AP3917e (FCC) and 20 cm for AP3917i and 42 cm for AP3917e (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-

approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20 cm pour AP3917i et 35cm pour AP3917e (FCC) et 20 cm pour AP3917i et 42cm pour AP3917e (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non 2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;

3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-

EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 42 cm for AP3917e between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP3917i et 42 cm pourAP3917e de distance entre la source de rayonnement et votre corps. essentiel depassant les niveaux limites definis par FCC/ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:

Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 35 cm for AP3917e between the radiator & your body. Industry Canada Notice This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et

(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :

1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;

2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:

1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;

4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment

(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):

1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG.

Extreme Networks Radio LAN device

1999/5/

. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/

CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWirelessTM Access Points Quick Reference P/N 31050 WS-AP3917i-FCC P/N 31051 WS-AP3917i-ROW P/N 31055 WS-AP3917e-FCC P/N 31056 WS-AP3917e-ROW Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks/

Documentation & Support For product support, including documentation, visit:

www.extremenetworks.com/support/

P/N 9035165-04

 

 

Installing the ExtremeWiNG AP7662i/AP7662 Access Point Overview of the AP7662i/AP7662 The AP7662 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP7662 is easy to install, lightweight, and is available in an internal

(AP7662i) and external (AP7662) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP7662 model comes in two models:

AP7662i and AP7662. In this document, the functionality, feature, and the procedure applies to both the models when AP7662i/AP7662 is used. Note: The AP7662i/AP7662 requires a minimum base firmware of WiNG 5.9.1. The AP7662i/AP7662 model has the following features:

Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:

IP67 Connectors on all ports AP7662i - Five internal antennas (four band locked antennas and one BLE antenna) AP7662- Five external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and Top In Figure 1, the top image indicates AP7662i. Figure 2 shows the top and side views of AP7662. Figure 1 Top and Side Views of AP7662i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP7662 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Amber LEDs indicate 5 GHz Wi-Fi Radio, Green LEDs indicate 2.4 GHz Wi-Fi Radio, and Blue LED indicates the IoT Radio. The Status LED is ON only during bootup. For detailed installation information about the AP7662i/AP7662, see the ExtremeWireless AP7662i/AP7662 Installation Guide. Table 1 shows ways to power the AP7662i/AP7662. Table 1 Powering the AP7662i/AP7662 Power Source Description Power over Ethernet

(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP7662i/AP7662 Box Contents Verify the contents of the box and ensure that the following items are available:

Table 2 Contents of the AP7662i/AP7662 Box Quantity Item AP7662i/AP7662 Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:

1 1 M4 screw assembly with star washer Ring terminal Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The AP7662i/AP7662 mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP7662i/AP7662 Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/

Mounting the AP7662i/AP7662 Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The installation of the AP7662i/AP7662 should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. Attach the AP7662i/AP7662 to a surface that can support the AP and in an environment it can withstand. It can be mounted to a wall, girder, ceiling, or pole, and the surface material can be concrete, brick, wood, metal, or plastic. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/

IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-

lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Tighten the torque, tighten the screws, and attach the LAN cable. Mounting the AP7662i/AP7662 to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner). Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:

for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:

a Use four M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP7662i and AP7662 Wall Mount H Bracket Mounting the AP7662i/AP7662 to a Pole Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter

<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using 4 M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP Figure 6 AP with Mounting BracketVertical Pole Mounting the AP7662i/AP7662 to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the to AP7662i/AP7662 to a wall or a pole using a 10 extension arm (WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP7662i/AP7662 Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP7662i/AP7662. Connecting a Power Supply to the AP7662i/AP7662 If you need to power the AP7662i/AP7662, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is powered on. Refer to the ExtremeWireless AP7662i/AP7662 Installation Guide for more information. LAN/Console Connections The AP7662i/AP7662 has two LAN (Ethernet) ports and a Console port. Refer to Figure 1 and Figure 2 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP7662i and 35 cm for AP7662 (FCC) and 20 cm for AP7662i and 42 cm for AP7662 (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-

approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-

clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20cm pour AP7662i et 35 cm pour AP7662 (FCC) et 20 cm pour AP7662i et 42 cm pour AP7662 (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non essentiel depassant les niveaux limites definis par ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:

Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 35 cm for AP7662 between the radiator & your body. Industry Canada Notice This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et

(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :

1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;

2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:

1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;

2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;

3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-

EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 42 cm for AP7662 between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP7662i et 42 cm pour AP7662 de distance entre la source de rayonnement et votre corps. This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-

dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. 4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment

(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):

1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. Extreme Networks Radio LAN device 1999/5/

. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/

CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWiNGTM Access Points Quick Reference P/N 37121 AP-7662-680B30-US P/N 37122 AP-7662-680B30-WR P/N 37123 AP-7662-680B40-US P/N 37124 AP-7662-680B40-WR Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks/

Documentation & Support For product support, including documentation, visit:

www.extremenetworks.com/support/

P/N 9035167-02

 

 

1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner). Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:

Figure 6 AP with Mounting BracketVertical Pole Installing the ExtremeWiNG AP7662i/AP7662 Access Point Overview of the AP7662i/AP7662 The AP7662 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP7662 is easy to install, lightweight, and is available in an internal

(AP7662i) and external (AP7662) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP7662 model comes in two models:

AP7662i and AP7662. In this document, the functionality, feature, and the procedure applies to both the models when AP7662i/AP7662 is used. Note: The AP7662i/AP7662 requires a minimum base firmware of WiNG 5.9.1. The AP7662i/AP7662 model has the following features:

Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:

IP67 Connectors on all ports AP7662i - Five internal antennas (four band locked antennas and one BLE antenna) AP7662- Five external antennas (four single band antennas and one BLE antenna) Temperature:

AP3917i -40C to +65C (-40F to 149F) without solar radiation; -40C to +55C (-40F to 131F) with solar radiation AP3917e -40C to +65C (-40F to 149F) without solar radiation; -40C to +55C (-40F to 131F) with solar radiation Enclosure: Cast Aluminum base and Top In Figure 1, the top image indicates AP7662i. Figure 2 shows the top and side views of AP7662. Figure 1 Top and Side Views of AP7662i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP7662 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Amber LEDs indicate 5 GHz Wi-Fi Radio, Green LEDs indicate 2.4 GHz Wi-Fi Radio, and Blue LED indicates the IoT Radio. The Status LED is ON only during bootup. For detailed installation information about the AP7662i/AP7662, see the ExtremeWireless AP7662i/AP7662 Installation Guide. Table 1 shows ways to power the AP7662i/AP7662. Table 1 Powering the AP7662i/AP7662 Power Source Description Power over Ethernet

(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP7662i/AP7662 Box Contents Verify the contents of the box and ensure that the following items are available:

Table 2 Contents of the AP7662i/AP7662 Box Quantity Item AP7662i/AP7662 Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:

1 1 M4 screw assembly with star washer Ring terminal for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:

a Use four M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP7662i and AP7662 Wall Mount H Bracket Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Mounting the AP7662i/AP7662 to a Pole Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The AP7662i/AP7662 mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP7662i/AP7662 Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/

Mounting the AP7662i/AP7662 Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The installation of the AP7662i/AP7662 should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. Attach the AP7662i/AP7662 to a surface that can support the AP and in an environment it can withstand. It can be mounted to a wall, girder, ceiling, or pole, and the surface material can be concrete, brick, wood, metal, or plastic. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/

IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-

lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Tighten the torque, tighten the screws, and attach the LAN cable. Mounting the AP7662i/AP7662 to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter

<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using 4 M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-

clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Mounting the AP7662i/AP7662 to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the to AP7662i/AP7662 to a wall or a pole using a 10 extension arm (WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP7662i/AP7662 Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP7662i/AP7662. Connecting a Power Supply to the AP7662i/AP7662 If you need to power the AP7662i/AP7662, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is powered on. Refer to the ExtremeWireless AP7662i/AP7662 Installation Guide for more information. LAN/Console Connections The AP7662i/AP7662 has two LAN (Ethernet) ports and a Console port. Refer to Figure 1 and Figure 2 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP7662i and 35 cm for AP7662 (FCC) and 20 cm for AP7662i and 42 cm for AP7662 (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20cm pour AP7662i et 35 cm pour AP7662 (FCC) et 20 cm pour AP7662i et 42 cm pour AP7662 (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non essentiel depassant les niveaux limites definis par ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:

Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:

Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to which the Increase the separation between the equipment and receiver. receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 35 cm for AP7662 between the radiator & your body. Industry Canada Notice This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et (2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :

1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;

2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-

point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users

(i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:

1 2 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;

le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;

3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/

ou des dommages aux dispositifs LAN-EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 42 cm for AP7662 between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP7662i et 42 cm pour AP7662 de distance entre la source de rayonnement et votre corps. This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. 4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment

(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):

1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). English Finnish Dutch French Swedish Danish German Greek Icelandic Italian Spanish Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Portuguese Malti ExtremeWiNGTM Access Points Quick Reference P/N 37121 AP-7662-680B30-US P/N 37122 AP-7662-680B30-WR P/N 37123 AP-7662-680B40-US P/N 37124 AP-7662-680B40-WR Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:

www.extremenetworks.com/company/legal/trademarks/

Documentation & Support For product support, including documentation, visit:

www.extremenetworks.com/support/

P/N 9035167-04 Declaration of Conformity in Languages of the European Community Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG.

Extreme Networks Radio LAN device

1999/5/

. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/

CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.

 

 

WiNG 5.9.1 Access Point, Wireless Controller and Service Platform CLI Reference Guide Published September 2017 9035205 Published September 2017 9035205 9035205 Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc. reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information about Extreme Networks trademarks, go to:

www.extremenetworks.com/company/legal/trademarks/

Support For product support, including documentation, visit: www.extremenetworks.com/support/

Contents ABOUT THIS GUIDE Chapter 1, INTRODUCTION 1.1 CLI Overview ....................................................................................................................................................................................................................1-2 1.2 Getting Context Sensitive Help ................................................................................................................................................................................1-7 1.3 Using the No Command ............................................................................................................................................................................................. 1-9 1.3.1 Basic Conventions ............................................................................................................................................................................................. 1-9 1.4 Using CLI Editing Features and Shortcuts ......................................................................................................................................................... 1-9 1.4.1 Moving the Cursor on the Command Line .............................................................................................................................................1-10 1.4.2 Completing a Partial Command Name ...................................................................................................................................................1-10 1.4.3 Command Output Pagination ..................................................................................................................................................................... 1-11 1.5 Using CLI to Create Profiles and Enable Remote Administration ............................................................................................................. 1-11 1.5.1 Creating Profiles ................................................................................................................................................................................................ 1-12 1.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface ............................................. 1-13 1.5.3 Enabling Remote Administration ..............................................................................................................................................................1-14 Chapter 2, USER EXEC MODE COMMANDS 2.1 User Exec Commands .................................................................................................................................................................................................2-2 2.1.1 captive-portal-page-upload ......................................................................................................................................................................... 2-4 2.1.2 change-passwd ................................................................................................................................................................................................ 2-8 2.1.3 clear ....................................................................................................................................................................................................................... 2-9 2.1.4 clock ....................................................................................................................................................................................................................2-20 2.1.5 cluster .................................................................................................................................................................................................................. 2-21 2.1.6 connect .............................................................................................................................................................................................................. 2-22 2.1.7 create-cluster ..................................................................................................................................................................................................2-23 2.1.8 crypto .................................................................................................................................................................................................................2-24 2.1.9 crypto-cmp-cert-update ............................................................................................................................................................................2-33 2.1.10 database ..........................................................................................................................................................................................................2-34 2.1.11 database-backup ..........................................................................................................................................................................................2-38 2.1.12 database-restore ......................................................................................................................................................................................... 2-40 2.1.13 device-upgrade ..............................................................................................................................................................................................2-41 2.1.14 disable ..............................................................................................................................................................................................................2-49 2.1.15 enable ...............................................................................................................................................................................................................2-50 2.1.16 file-sync .............................................................................................................................................................................................................2-51 2.1.17 join-cluster ......................................................................................................................................................................................................2-54 2.1.18 l2tpv3 ................................................................................................................................................................................................................2-56 2.1.19 logging .............................................................................................................................................................................................................2-58 2.1.20 mint ................................................................................................................................................................................................................. 2-60 2.1.21 no ........................................................................................................................................................................................................................2-62 2.1.22 on .......................................................................................................................................................................................................................2-64 2.1.23 opendns ..........................................................................................................................................................................................................2-65 2.1.24 page ..................................................................................................................................................................................................................2-67 2.1.25 ping ...................................................................................................................................................................................................................2-68 2.1.26 ping6 ................................................................................................................................................................................................................2-70 2.1.27 ssh ....................................................................................................................................................................................................................... 2-71 2.1.28 telnet ................................................................................................................................................................................................................ 2-72 2.1.29 terminal ........................................................................................................................................................................................................... 2-73 2.1.30 time-it ..............................................................................................................................................................................................................2-74 2.1.31 traceroute ........................................................................................................................................................................................................2-75 2.1.32 traceroute6 2-76 Access Point, Wireless Controller and Service Platform CLI Reference Guide i Contents 2.1.33 virtual-machine ............................................................................................................................................................................................ 2-77 2.1.34 watch ...............................................................................................................................................................................................................2-83 2.1.35 exit .....................................................................................................................................................................................................................2-84 Chapter 3, PRIVILEGED EXEC MODE COMMANDS 3.1 Privileged Exec Mode Commands ........................................................................................................................................................................ 3-3 3.1.1 archive ................................................................................................................................................................................................................... 3-6 3.1.2 boot ....................................................................................................................................................................................................................... 3-8 3.1.3 captive-portal-page-upload ....................................................................................................................................................................... 3-9 3.1.4 cd ..........................................................................................................................................................................................................................3-13 3.1.5 change-passwd ...............................................................................................................................................................................................3-14 3.1.6 clear ......................................................................................................................................................................................................................3-15 3.1.7 clock ....................................................................................................................................................................................................................3-28 3.1.8 cluster .................................................................................................................................................................................................................3-29 3.1.9 configure ...........................................................................................................................................................................................................3-30 3.1.10 connect .............................................................................................................................................................................................................3-31 3.1.11 copy ....................................................................................................................................................................................................................3-32 3.1.12 cpe ......................................................................................................................................................................................................................3-33 3.1.13 create-cluster .................................................................................................................................................................................................3-35 3.1.14 crypto ...............................................................................................................................................................................................................3-37 3.1.15 crypto-cmp-cert-update ...........................................................................................................................................................................3-46 3.1.16 database ..........................................................................................................................................................................................................3-47 3.1.17 database-backup .........................................................................................................................................................................................3-50 3.1.18 database-restore ..........................................................................................................................................................................................3-52 3.1.19 delete ................................................................................................................................................................................................................3-53 3.1.20 device-upgrade ...........................................................................................................................................................................................3-54 3.1.21 diff ..................................................................................................................................................................................................................... 3-60 3.1.22 dir ........................................................................................................................................................................................................................3-61 3.1.23 disable ..............................................................................................................................................................................................................3-62 3.1.24 edit ....................................................................................................................................................................................................................3-63 3.1.25 enable ..............................................................................................................................................................................................................3-64 3.1.26 erase .................................................................................................................................................................................................................3-65 3.1.27 ex3500 ............................................................................................................................................................................................................3-67 3.1.28 factory-reset .................................................................................................................................................................................................3-75 3.1.29 file-sync ...........................................................................................................................................................................................................3-79 3.1.30 halt ....................................................................................................................................................................................................................3-82 3.1.31 join-cluster ......................................................................................................................................................................................................3-83 3.1.32 l2tpv3 ...............................................................................................................................................................................................................3-85 3.1.33 logging .............................................................................................................................................................................................................3-87 3.1.34 mint ...................................................................................................................................................................................................................3-89 3.1.35 mkdir .................................................................................................................................................................................................................3-91 3.1.36 more .................................................................................................................................................................................................................3-92 3.1.37 no .......................................................................................................................................................................................................................3-93 3.1.38 on .......................................................................................................................................................................................................................3-95 3.1.39 opendns ..........................................................................................................................................................................................................3-96 3.1.40 page ...............................................................................................................................................................................................................3-100 3.1.41 ping ................................................................................................................................................................................................................... 3-101 3.1.42 ping6 .............................................................................................................................................................................................................. 3-103 3.1.43 pwd .................................................................................................................................................................................................................3-104 3.1.44 re-elect .......................................................................................................................................................................................................... 3-105 3.1.45 reload .............................................................................................................................................................................................................3-106 3.1.46 rename .............................................................................................................................................................................................................3-111 3.1.47 rmdir .................................................................................................................................................................................................................3-112 Access Point, Wireless Controller and Service Platform CLI Reference Guide ii Contents 3.1.48 self .....................................................................................................................................................................................................................3-113 3.1.49 ssh .................................................................................................................................................................................................................... 3-114 3.1.50 t5 .......................................................................................................................................................................................................................3-115 3.1.51 telnet .................................................................................................................................................................................................................3-117 3.1.52 terminal ...........................................................................................................................................................................................................3-118 3.1.53 time-it ............................................................................................................................................................................................................. 3-119 3.1.54 traceroute .................................................................................................................................................................................................... 3-120 3.1.55 traceroute6 ....................................................................................................................................................................................................3-121 3.1.56 upgrade ..........................................................................................................................................................................................................3-122 3.1.57 upgrade-abort ............................................................................................................................................................................................ 3-126 3.1.58 virtual-machine ...........................................................................................................................................................................................3-127 3.1.59 watch ..............................................................................................................................................................................................................3-133 3.1.60 exit .................................................................................................................................................................................................................. 3-134 3.1.61 raid ....................................................................................................................................................................................................................3-135 Chapter 4, GLOBAL CONFIGURATION COMMANDS 4.1 Global Configuration Commands .........................................................................................................................................................................4-4 4.1.1 aaa-policy ............................................................................................................................................................................................................ 4-9 4.1.2 alias .......................................................................................................................................................................................................................4-11 4.1.3 aaa-tacacs-policy ......................................................................................................................................................................................... 4-20 4.1.4 ap6521 ................................................................................................................................................................................................................4-22 4.1.5 ap6522 ...............................................................................................................................................................................................................4-23 4.1.6 ap6532 ...............................................................................................................................................................................................................4-24 4.1.7 ap6562 ...............................................................................................................................................................................................................4-25 4.1.8 ap71xx ................................................................................................................................................................................................................4-26 4.1.9 ap7502 ...............................................................................................................................................................................................................4-27 4.1.10 ap7522 .............................................................................................................................................................................................................4-28 4.1.11 ap7532 ...............................................................................................................................................................................................................4-29 4.1.12 ap7562 ............................................................................................................................................................................................................. 4-30 4.1.13 ap7602 ..............................................................................................................................................................................................................4-31 4.1.14 ap7612 ...............................................................................................................................................................................................................4-32 4.1.15 ap7622 ..............................................................................................................................................................................................................4-33 4.1.16 ap7632 ............................................................................................................................................................................................................ 4-34 4.1.17 ap7662 ..............................................................................................................................................................................................................4-35 4.1.18 ap81xx ...............................................................................................................................................................................................................4-36 4.1.19 ap82xx ..............................................................................................................................................................................................................4-37 4.1.20 ap8432 ............................................................................................................................................................................................................4-38 4.1.21 ap8533 ..............................................................................................................................................................................................................4-39 4.1.22 application .................................................................................................................................................................................................... 4-40 4.1.23 application-group ...................................................................................................................................................................................... 4-48 4.1.24 application-policy .......................................................................................................................................................................................4-55 4.1.25 association-acl-policy ...............................................................................................................................................................................4-78 4.1.26 auto-provisioning-policy .........................................................................................................................................................................4-79 4.1.27 bgp .....................................................................................................................................................................................................................4-81 4.1.28 bonjour-gateway-discovery-policy .....................................................................................................................................................4-83 4.1.29 bonjour-gw-forwarding-policy ............................................................................................................................................................ 4-90 4.1.30 bonjour-gw-query-forwarding-policy ...............................................................................................................................................4-92 4.1.31 captive portal ................................................................................................................................................................................................4-93 4.1.32 clear ................................................................................................................................................................................................................4-146 4.1.33 client-identity ............................................................................................................................................................................................. 4-147 4.1.34 client-identity-group ............................................................................................................................................................................... 4-156 4.1.35 clone ...............................................................................................................................................................................................................4-164 4.1.36 crypto-cmp-policy ................................................................................................................................................................................... 4-165 Access Point, Wireless Controller and Service Platform CLI Reference Guide iii Contents 4.1.37 customize .....................................................................................................................................................................................................4-166 4.1.38 database-client-policy ............................................................................................................................................................................ 4-177 4.1.39 database-policy .........................................................................................................................................................................................4-184 4.1.40 device ............................................................................................................................................................................................................ 4-192 4.1.41 device-categorization ..............................................................................................................................................................................4-194 4.1.42 dhcp-server-policy ................................................................................................................................................................................. 4-200 4.1.43 dhcpv6-server-policy ..............................................................................................................................................................................4-201 4.1.44 dns-whitelist ..............................................................................................................................................................................................4-203 4.1.45 end .................................................................................................................................................................................................................4-208 4.1.46 event-system-policy ..............................................................................................................................................................................4-209 4.1.47 ex3500 ......................................................................................................................................................................................................... 4-226 4.1.48 ex3500-management-policy .............................................................................................................................................................. 4-233 4.1.49 ex3500-qos-class-map-policy ...........................................................................................................................................................4-254 4.1.50 ex3500-qos-policy-map ...................................................................................................................................................................... 4-262 4.1.51 ex3524 ........................................................................................................................................................................................................... 4-277 4.1.52 ex3548 .......................................................................................................................................................................................................... 4-279 4.1.53 firewall-policy ............................................................................................................................................................................................4-280 4.1.54 global-association-list ............................................................................................................................................................................ 4-282 4.1.55 guest-management ................................................................................................................................................................................ 4-285 4.1.56 host ................................................................................................................................................................................................................ 4-297 4.1.57 inline-password-encryption ................................................................................................................................................................4-298 4.1.58 ip .....................................................................................................................................................................................................................4-299 4.1.59 ipv6 .................................................................................................................................................................................................................4-301 4.1.60 ipv6-router-advertisement-policy ...................................................................................................................................................4-302 4.1.61 l2tpv3 .............................................................................................................................................................................................................4-320 4.1.62 mac ................................................................................................................................................................................................................ 4-322 4.1.63 management-policy ............................................................................................................................................................................... 4-323 4.1.64 meshpoint ................................................................................................................................................................................................... 4-325 4.1.65 meshpoint-qos-policy ............................................................................................................................................................................ 4-327 4.1.66 mint-policy ................................................................................................................................................................................................. 4-328 4.1.67 nac-list .......................................................................................................................................................................................................... 4-329 4.1.68 no ................................................................................................................................................................................................................... 4-335 4.1.69 nsight-policy ..............................................................................................................................................................................................4-339 4.1.70 passpoint-policy ......................................................................................................................................................................................4-350 4.1.71 password-encryption .............................................................................................................................................................................. 4-352 4.1.72 profile ............................................................................................................................................................................................................ 4-353 4.1.73 radio-qos-policy ....................................................................................................................................................................................... 4-357 4.1.74 radius-group .............................................................................................................................................................................................. 4-358 4.1.75 radius-server-policy ................................................................................................................................................................................4-359 4.1.76 radius-user-pool-policy .......................................................................................................................................................................... 4-361 4.1.77 rename ......................................................................................................................................................................................................... 4-362 4.1.78 replace ..........................................................................................................................................................................................................4-364 4.1.79 rf-domain ....................................................................................................................................................................................................4-366 4.1.80 rfs6000 ........................................................................................................................................................................................................4-403 4.1.81 rfs4000 ........................................................................................................................................................................................................ 4-404 4.1.82 nx5500 .........................................................................................................................................................................................................4-405 4.1.83 nx75xx ......................................................................................................................................................................................................... 4-406 4.1.84 nx9000 ........................................................................................................................................................................................................4-407 4.1.85 roaming-assist-policy ........................................................................................................................................................................... 4-408 4.1.86 role-policy ....................................................................................................................................................................................................4-410 4.1.87 route-map ..................................................................................................................................................................................................... 4-411 4.1.88 routing-policy ............................................................................................................................................................................................. 4-412 4.1.89 rtl-server-policy ......................................................................................................................................................................................... 4-413 4.1.90 schedule-policy .........................................................................................................................................................................................4-419 Access Point, Wireless Controller and Service Platform CLI Reference Guide iv Contents 4.1.91 self ...................................................................................................................................................................................................................4-426 4.1.92 sensor-policy ............................................................................................................................................................................................. 4-427 4.1.93 smart-rf-policy ..........................................................................................................................................................................................4-436 4.1.94 t5 ....................................................................................................................................................................................................................4-438 4.1.95 web-filter-policy ...................................................................................................................................................................................... 4-440 4.1.96 wips-policy ..................................................................................................................................................................................................4-451 4.1.97 wlan ...............................................................................................................................................................................................................4-452 4.1.98 wlan-qos-policy ........................................................................................................................................................................................4-549 4.1.99 url-filter ......................................................................................................................................................................................................... 4-551 4.1.100 url-list ..........................................................................................................................................................................................................4-565 4.1.101 vx9000 ......................................................................................................................................................................................................... 4-571 Chapter 5, COMMON COMMANDS 5.1 Common Commands ................................................................................................................................................................................................. 5-2 5.1.1 clrscr ....................................................................................................................................................................................................................... 5-3 5.1.2 commit ................................................................................................................................................................................................................. 5-4 5.1.3 exit ......................................................................................................................................................................................................................... 5-5 5.1.4 help ........................................................................................................................................................................................................................ 5-6 5.1.5 no ........................................................................................................................................................................................................................... 5-9 5.1.6 revert ...................................................................................................................................................................................................................5-12 5.1.7 service .................................................................................................................................................................................................................5-13 5.1.8 show ....................................................................................................................................................................................................................5-58 5.1.9 write ................................................................................................................................................................................................................... 5-60 Chapter 6, SHOW COMMANDS 6.1 show commands .......................................................................................................................................................................................................... 6-2 6.1.1 show ....................................................................................................................................................................................................................... 6-5 6.1.2 adoption ............................................................................................................................................................................................................ 6-10 6.1.3 bluetooth ...........................................................................................................................................................................................................6-14 6.1.4 boot .....................................................................................................................................................................................................................6-16 6.1.5 bonjour ...............................................................................................................................................................................................................6-17 6.1.6 captive-portal ..................................................................................................................................................................................................6-18 6.1.7 captive-portal-page-upload .................................................................................................................................................................... 6-20 6.1.8 cdp .......................................................................................................................................................................................................................6-22 6.1.9 classify-url ........................................................................................................................................................................................................6-24 6.1.10 clock ..................................................................................................................................................................................................................6-25 6.1.11 cluster ................................................................................................................................................................................................................6-26 6.1.12 cmp-factory-certs ........................................................................................................................................................................................6-28 6.1.13 commands ......................................................................................................................................................................................................6-29 6.1.14 context ............................................................................................................................................................................................................ 6-30 6.1.15 critical-resources ...........................................................................................................................................................................................6-31 6.1.16 crypto ...............................................................................................................................................................................................................6-32 6.1.17 database ..........................................................................................................................................................................................................6-35 6.1.18 device-upgrade ............................................................................................................................................................................................6-37 6.1.19 dot1x ..................................................................................................................................................................................................................6-39 6.1.20 dpi ......................................................................................................................................................................................................................6-41 6.1.21 eguest .............................................................................................................................................................................................................. 6-44 6.1.22 environmental-sensor ...............................................................................................................................................................................6-45 6.1.23 event-history ............................................................................................................................................................................................... 6-48 6.1.24 event-system-policy ................................................................................................................................................................................. 6-49 6.1.25 ex3500 ........................................................................................................................................................................................................... 6-50 6.1.26 extdev ..............................................................................................................................................................................................................6-53 Access Point, Wireless Controller and Service Platform CLI Reference Guide v Contents 6.1.27 file-sync ...........................................................................................................................................................................................................6-54 6.1.28 firewall .............................................................................................................................................................................................................6-56 6.1.29 global .............................................................................................................................................................................................................. 6-60 6.1.30 gre .....................................................................................................................................................................................................................6-62 6.1.31 guest-registration ........................................................................................................................................................................................6-63 6.1.32 interface ...........................................................................................................................................................................................................6-71 6.1.33 ip ........................................................................................................................................................................................................................6-75 6.1.34 ip-access-list .................................................................................................................................................................................................6-82 6.1.35 ipv6 .................................................................................................................................................................................................................. 6-84 6.1.36 ipv6-access-list ............................................................................................................................................................................................6-88 6.1.37 l2tpv3 ...............................................................................................................................................................................................................6-89 6.1.38 lacp ...................................................................................................................................................................................................................6-92 6.1.39 ldap-agent .....................................................................................................................................................................................................6-95 6.1.40 licenses .......................................................................................................................................................................................................... 6-96 6.1.41 lldp .................................................................................................................................................................................................................... 6-99 6.1.42 logging ......................................................................................................................................................................................................... 6-100 6.1.43 mac-access-list ...........................................................................................................................................................................................6-101 6.1.44 mac-address-table ...................................................................................................................................................................................6-102 6.1.45 mac-auth ......................................................................................................................................................................................................6-103 6.1.46 mac-auth-clients .......................................................................................................................................................................................6-105 6.1.47 mint ................................................................................................................................................................................................................6-107 6.1.48 nsight ............................................................................................................................................................................................................... 6-111 6.1.49 ntp .................................................................................................................................................................................................................... 6-112 6.1.50 password-encryption ............................................................................................................................................................................... 6-114 6.1.51 pppoe-client .................................................................................................................................................................................................. 6-115 6.1.52 privilege ......................................................................................................................................................................................................... 6-116 6.1.53 radius .............................................................................................................................................................................................................. 6-117 6.1.54 reload .............................................................................................................................................................................................................. 6-119 6.1.55 rf-domain-manager .................................................................................................................................................................................6-120 6.1.56 role ................................................................................................................................................................................................................... 6-121 6.1.57 route-maps .................................................................................................................................................................................................. 6-122 6.1.58 rtls ................................................................................................................................................................................................................... 6-123 6.1.59 running-config ........................................................................................................................................................................................... 6-125 6.1.60 session-changes ....................................................................................................................................................................................... 6-132 6.1.61 session-config ............................................................................................................................................................................................. 6-133 6.1.62 sessions ......................................................................................................................................................................................................... 6-134 6.1.63 site-config-diff ........................................................................................................................................................................................... 6-135 6.1.64 smart-rf ......................................................................................................................................................................................................... 6-136 6.1.65 spanning-tree .............................................................................................................................................................................................6-140 6.1.66 startup-config ............................................................................................................................................................................................ 6-142 6.1.67 t5 ...................................................................................................................................................................................................................... 6-143 6.1.68 terminal .......................................................................................................................................................................................................... 6-151 6.1.69 timezone ...................................................................................................................................................................................................... 6-152 6.1.70 traffic-shape ............................................................................................................................................................................................... 6-153 6.1.71 upgrade-status ............................................................................................................................................................................................ 6-155 6.1.72 version ........................................................................................................................................................................................................... 6-156 6.1.73 vrrp ................................................................................................................................................................................................................. 6-157 6.1.74 web-filter ...................................................................................................................................................................................................... 6-159 6.1.75 what ................................................................................................................................................................................................................. 6-161 6.1.76 wireless ......................................................................................................................................................................................................... 6-162 6.1.77 wwan .............................................................................................................................................................................................................. 6-185 6.1.78 virtual-machine .......................................................................................................................................................................................... 6-186 6.1.79 raid .................................................................................................................................................................................................................. 6-189 Access Point, Wireless Controller and Service Platform CLI Reference Guide vi Contents Chapter 7, PROFILES 7.1 Profile Config Commands .........................................................................................................................................................................................7-7 7.1.1 adopter-auto-provisioning-policy-lookup ............................................................................................................................................. 7-11 7.1.2 adoption ............................................................................................................................................................................................................. 7-13 7.1.3 alias ....................................................................................................................................................................................................................... 7-15 7.1.4 application-policy .......................................................................................................................................................................................... 7-22 7.1.5 area ......................................................................................................................................................................................................................7-24 7.1.6 arp ........................................................................................................................................................................................................................7-25 7.1.7 auto-learn ......................................................................................................................................................................................................... 7-27 7.1.8 autogen-uniqueid ..........................................................................................................................................................................................7-28 7.1.9 autoinstall .........................................................................................................................................................................................................7-30 7.1.10 bridge ................................................................................................................................................................................................................ 7-31 7.1.11 captive-portal .................................................................................................................................................................................................7-62 7.1.12 cdp .....................................................................................................................................................................................................................7-63 7.1.13 cluster ...............................................................................................................................................................................................................7-64 7.1.14 configuration-persistence ........................................................................................................................................................................7-67 7.1.15 controller .........................................................................................................................................................................................................7-68 7.1.16 critical-resource ............................................................................................................................................................................................ 7-72 7.1.17 crypto ............................................................................................................................................................................................................... 7-80 7.1.18 database ........................................................................................................................................................................................................ 7-143 7.1.19 device-onboard .......................................................................................................................................................................................... 7-144 7.1.20 device-upgrade ......................................................................................................................................................................................... 7-145 7.1.21 diag .................................................................................................................................................................................................................. 7-147 7.1.22 dot1x ............................................................................................................................................................................................................... 7-148 7.1.23 dpi .................................................................................................................................................................................................................... 7-150 7.1.24 dscp-mapping .............................................................................................................................................................................................7-153 7.1.25 eguest-server (VX9000 only) ............................................................................................................................................................. 7-154 7.1.26 eguest-server (NOC Only) .....................................................................................................................................................................7-155 7.1.27 email-notification ...................................................................................................................................................................................... 7-156 7.1.28 enforce-version .......................................................................................................................................................................................... 7-158 7.1.29 environmental-sensor ............................................................................................................................................................................. 7-159 7.1.30 events ............................................................................................................................................................................................................. 7-161 7.1.31 export .............................................................................................................................................................................................................. 7-162 7.1.32 file-sync ......................................................................................................................................................................................................... 7-163 7.1.33 floor ................................................................................................................................................................................................................. 7-164 7.1.34 gre ................................................................................................................................................................................................................... 7-165 7.1.35 http-analyze .................................................................................................................................................................................................7-177 7.1.36 interface ........................................................................................................................................................................................................ 7-180 7.1.37 ip ..................................................................................................................................................................................................................... 7-348 7.1.38 ipv6 ................................................................................................................................................................................................................ 7-358 7.1.39 l2tpv3 ............................................................................................................................................................................................................ 7-362 7.1.40 l3e-lite-table .............................................................................................................................................................................................. 7-364 7.1.41 led .................................................................................................................................................................................................................... 7-365 7.1.42 led-timeout ................................................................................................................................................................................................. 7-366 7.1.43 legacy-auto-downgrade ....................................................................................................................................................................... 7-368 7.1.44 legacy-auto-update ................................................................................................................................................................................ 7-369 7.1.45 lldp ................................................................................................................................................................................................................. 7-370 7.1.46 load-balancing ...........................................................................................................................................................................................7-372 7.1.47 logging ..........................................................................................................................................................................................................7-377 7.1.48 mac-address-table .................................................................................................................................................................................. 7-379 7.1.49 mac-auth .......................................................................................................................................................................................................7-381 7.1.50 management-server ............................................................................................................................................................................... 7-384 7.1.51 memory-profile .......................................................................................................................................................................................... 7-385 Access Point, Wireless Controller and Service Platform CLI Reference Guide vii Contents 7.1.52 meshpoint-device .................................................................................................................................................................................... 7-386 7.1.53 meshpoint-monitor-interval ................................................................................................................................................................ 7-388 7.1.54 min-misconfiguration-recovery-time .............................................................................................................................................. 7-389 7.1.55 mint ................................................................................................................................................................................................................7-390 7.1.56 misconfiguration-recovery-time ....................................................................................................................................................... 7-397 7.1.57 neighbor-inactivity-timeout ................................................................................................................................................................ 7-398 7.1.58 neighbor-info-interval ............................................................................................................................................................................ 7-399 7.1.59 no ................................................................................................................................................................................................................... 7-400 7.1.60 noc .................................................................................................................................................................................................................7-402 7.1.61 nsight .............................................................................................................................................................................................................7-403 7.1.62 ntp ..................................................................................................................................................................................................................7-408 7.1.63 otls .................................................................................................................................................................................................................... 7-411 7.1.64 offline-duration .......................................................................................................................................................................................... 7-414 7.1.65 power-config .............................................................................................................................................................................................. 7-415 7.1.66 preferred-controller-group ................................................................................................................................................................... 7-417 7.1.67 preferred-tunnel-controller .................................................................................................................................................................. 7-418 7.1.68 radius ............................................................................................................................................................................................................. 7-419 7.1.69 rf-domain-manager ................................................................................................................................................................................7-420 7.1.70 router ............................................................................................................................................................................................................. 7-421 7.1.71 spanning-tree .............................................................................................................................................................................................. 7-423 7.1.72 traffic-class-mapping ............................................................................................................................................................................. 7-426 7.1.73 traffic-shape ............................................................................................................................................................................................... 7-428 7.1.74 trustpoint (profile-config-mode) ......................................................................................................................................................7-434 7.1.75 tunnel-controller ....................................................................................................................................................................................... 7-436 7.1.76 use .................................................................................................................................................................................................................. 7-437 7.1.77 vrrp .................................................................................................................................................................................................................7-443 7.1.78 vrrp-state-check ....................................................................................................................................................................................... 7-447 7.1.79 virtual-controller .......................................................................................................................................................................................7-448 7.1.80 wep-shared-key-auth ............................................................................................................................................................................7-450 7.1.81 service ............................................................................................................................................................................................................. 7-451 7.1.82 zone ............................................................................................................................................................................................................... 7-456 7.2 Device Config Commands .................................................................................................................................................................................. 7-457 7.2.1 adoption-site ................................................................................................................................................................................................7-464 7.2.2 area .................................................................................................................................................................................................................. 7-465 7.2.3 channel-list ...................................................................................................................................................................................................7-466 7.2.4 contact ........................................................................................................................................................................................................... 7-467 7.2.5 country-code ...............................................................................................................................................................................................7-468 7.2.6 floor .................................................................................................................................................................................................................7-469 7.2.7 geo-coordinates .........................................................................................................................................................................................7-470 7.2.8 hostname ....................................................................................................................................................................................................... 7-471 7.2.9 lacp .................................................................................................................................................................................................................. 7-472 7.2.10 layout-coordinates .................................................................................................................................................................................. 7-473 7.2.11 license ............................................................................................................................................................................................................ 7-474 7.2.12 location ......................................................................................................................................................................................................... 7-477 7.2.13 mac-name ................................................................................................................................................................................................... 7-478 7.2.14 no .................................................................................................................................................................................................................... 7-479 7.2.15 nsight ............................................................................................................................................................................................................7-480 7.2.16 override-wlan ............................................................................................................................................................................................7-484 7.2.17 remove-override .......................................................................................................................................................................................7-486 7.2.18 rsa-key .......................................................................................................................................................................................................... 7-488 7.2.19 sensor-server .............................................................................................................................................................................................7-489 7.2.20 timezone .....................................................................................................................................................................................................7-490 7.2.21 trustpoint (device-config-mode) ....................................................................................................................................................... 7-491 7.2.22 raid ................................................................................................................................................................................................................ 7-493 Access Point, Wireless Controller and Service Platform CLI Reference Guide viii Contents 7.3 T5 Profile Config Commands ............................................................................................................................................................................7-494 7.3.1 cpe .................................................................................................................................................................................................................... 7-495 7.3.2 interface ......................................................................................................................................................................................................... 7-497 7.3.3 ip .......................................................................................................................................................................................................................7-499 7.3.4 no .....................................................................................................................................................................................................................7-500 7.3.5 ntp ..................................................................................................................................................................................................................... 7-501 7.3.6 override-wlan .............................................................................................................................................................................................. 7-502 7.3.7 t5 ....................................................................................................................................................................................................................... 7-503 7.3.8 t5-logging .....................................................................................................................................................................................................7-504 7.3.9 use ...................................................................................................................................................................................................................7-505 7.4 EX3524 & EX3548 Profile/Device Config Commands ............................................................................................................................7-506 7.4.1 interface ......................................................................................................................................................................................................... 7-507 7.4.2 ip ........................................................................................................................................................................................................................7-527 7.4.3 power ............................................................................................................................................................................................................. 7-528 7.4.4 upgrade ......................................................................................................................................................................................................... 7-529 7.4.5 use ................................................................................................................................................................................................................... 7-530 7.4.6 no .......................................................................................................................................................................................................................7-531 Chapter 8, AAA-POLICY 8.1 aaa-policy ....................................................................................................................................................................................................................... 8-3 8.1.1 accounting ........................................................................................................................................................................................................... 8-4 8.1.2 attribute ............................................................................................................................................................................................................... 8-8 8.1.3 authentication ...................................................................................................................................................................................................8-11 8.1.4 health-check .....................................................................................................................................................................................................8-16 8.1.5 mac-address-format .....................................................................................................................................................................................8-17 8.1.6 no ..........................................................................................................................................................................................................................8-19 8.1.7 proxy-attribute ................................................................................................................................................................................................8-21 8.1.8 server-pooling-mode ...................................................................................................................................................................................8-22 8.1.9 use .......................................................................................................................................................................................................................8-23 Chapter 9, AUTO-PROVISIONING-POLICY 9.1 auto-provisioning-policy .......................................................................................................................................................................................... 9-4 9.1.1 adopt ..................................................................................................................................................................................................................... 9-5 9.1.2 auto-create-rfd-template .......................................................................................................................................................................... 9-10 9.1.3 default-adoption .............................................................................................................................................................................................9-12 9.1.4 deny .....................................................................................................................................................................................................................9-13 9.1.5 evaluate-always ..............................................................................................................................................................................................9-16 9.1.6 redirect ...............................................................................................................................................................................................................9-17 9.1.7 upgrade ..............................................................................................................................................................................................................9-21 9.1.8 no .........................................................................................................................................................................................................................9-24 Chapter 10, ASSOCIATION-ACL-POLICY 10.1 association-acl-policy .............................................................................................................................................................................................10-2 10.1.1 deny .....................................................................................................................................................................................................................10-3 10.1.2 no .........................................................................................................................................................................................................................10-5 10.1.3 permit ............................................................................................................................................................................................................... 10-6 Chapter 11, ACCESS-LIST 11.1 ip-access-list ..................................................................................................................................................................................................................11-4 11.1.1 deny ....................................................................................................................................................................................................................... 11-5 11.1.2 disable .................................................................................................................................................................................................................11-17 Access Point, Wireless Controller and Service Platform CLI Reference Guide ix Contents 11.1.3 insert .................................................................................................................................................................................................................. 11-20 11.1.4 no .........................................................................................................................................................................................................................11-22 11.1.5 permit .................................................................................................................................................................................................................11-23 11.2 mac-access-list ......................................................................................................................................................................................................... 11-34 11.2.1 deny ....................................................................................................................................................................................................................11-35 11.2.2 disable ...............................................................................................................................................................................................................11-38 11.2.3 ex3500 ............................................................................................................................................................................................................11-40 11.2.4 insert ................................................................................................................................................................................................................ 11-43 11.2.5 no ....................................................................................................................................................................................................................... 11-45 11.2.6 permit .............................................................................................................................................................................................................. 11-46 11.3 ipv6-access-list ......................................................................................................................................................................................................... 11-49 11.3.1 deny ................................................................................................................................................................................................................... 11-50 11.3.2 no ....................................................................................................................................................................................................................... 11-56 11.3.3 permit ................................................................................................................................................................................................................11-57 11.4 ip-snmp-access-list ................................................................................................................................................................................................ 11-63 11.4.1 deny ................................................................................................................................................................................................................... 11-64 11.4.2 permit .............................................................................................................................................................................................................. 11-65 11.4.3 no ....................................................................................................................................................................................................................... 11-66 11.5 ex3500-ext-access-list ......................................................................................................................................................................................... 11-67 11.5.1 deny ................................................................................................................................................................................................................... 11-68 11.5.2 permit .................................................................................................................................................................................................................11-71 11.5.3 no ....................................................................................................................................................................................................................... 11-74 11.6 ex3500-std-access-list ..........................................................................................................................................................................................11-75 11.6.1 deny ................................................................................................................................................................................................................... 11-76 11.6.2 permit ...............................................................................................................................................................................................................11-77 11.6.3 no ........................................................................................................................................................................................................................11-78 Chapter 12, DHCP-SERVER-POLICY 12.1 dhcp-server-policy ................................................................................................................................................................................................... 12-3 12.1.1 bootp ...................................................................................................................................................................................................................12-4 12.1.2 dhcp-class ........................................................................................................................................................................................................12-5 12.1.3 dhcp-pool .........................................................................................................................................................................................................12-11 12.1.4 dhcp-server .................................................................................................................................................................................................. 12-56 12.1.5 no ...................................................................................................................................................................................................................... 12-58 12.1.6 option .............................................................................................................................................................................................................. 12-59 12.1.7 ping ..................................................................................................................................................................................................................12-60 12.2 dhcpv6-server-policy ........................................................................................................................................................................................... 12-61 12.2.1 dhcpv6-pool ................................................................................................................................................................................................. 12-62 12.2.2 option ..............................................................................................................................................................................................................12-73 12.2.3 restrict-vendor-options ...........................................................................................................................................................................12-75 12.2.4 server-preference ..................................................................................................................................................................................... 12-76 12.2.5 no ......................................................................................................................................................................................................................12-77 Chapter 13, FIREWALL-POLICY 13.1 firewall-policy .............................................................................................................................................................................................................13-3 13.1.1 acl-logging ........................................................................................................................................................................................................13-4 13.1.2 alg ........................................................................................................................................................................................................................13-5 13.1.3 clamp .................................................................................................................................................................................................................. 13-7 13.1.4 dhcp-offer-convert ......................................................................................................................................................................................13-8 13.1.5 dns-snoop ........................................................................................................................................................................................................13-9 13.1.6 firewall ............................................................................................................................................................................................................. 13-10 13.1.7 flow .....................................................................................................................................................................................................................13-11 Access Point, Wireless Controller and Service Platform CLI Reference Guide x Contents 13.1.8 ip .........................................................................................................................................................................................................................13-13 13.1.9 ip-mac ............................................................................................................................................................................................................. 13-20 13.1.10 ipv6 .................................................................................................................................................................................................................13-22 13.1.11 ipv6-mac ....................................................................................................................................................................................................... 13-26 13.1.12 logging .......................................................................................................................................................................................................... 13-28 13.1.13 no ..................................................................................................................................................................................................................... 13-30 13.1.14 proxy-arp ......................................................................................................................................................................................................13-32 13.1.15 proxy-nd ........................................................................................................................................................................................................13-33 13.1.16 stateful-packet-inspection-12 .............................................................................................................................................................. 13-34 13.1.17 storm-control ..............................................................................................................................................................................................13-35 13.1.18 virtual-defragmentation .........................................................................................................................................................................13-37 Chapter 14, MINT-POLICY 14.1 mint-policy ...................................................................................................................................................................................................................14-2 14.1.1 level ......................................................................................................................................................................................................................14-3 14.1.2 lsp ........................................................................................................................................................................................................................14-4 14.1.3 mtu ......................................................................................................................................................................................................................14-5 14.1.4 router .................................................................................................................................................................................................................14-6 14.1.5 udp ......................................................................................................................................................................................................................14-7 14.1.6 no .........................................................................................................................................................................................................................14-8 Chapter 15, MANAGEMENT-POLICY 15.1 management-policy .................................................................................................................................................................................................15-3 15.1.1 aaa-login ............................................................................................................................................................................................................15-5 15.1.2 allowed-locations .......................................................................................................................................................................................... 15-7 15.1.3 banner ................................................................................................................................................................................................................15-9 15.1.4 ftp ...................................................................................................................................................................................................................... 15-10 15.1.5 http ....................................................................................................................................................................................................................15-12 15.1.6 https ..................................................................................................................................................................................................................15-13 15.1.7 idle-session-timeout ...................................................................................................................................................................................15-15 15.1.8 ipv6 ................................................................................................................................................................................................................... 15-16 15.1.9 no ....................................................................................................................................................................................................................... 15-18 15.1.10 passwd-entry ............................................................................................................................................................................................. 15-20 15.1.11 privilege-mode-password .......................................................................................................................................................................15-22 15.1.12 rest-server ................................................................................................................................................................................................... 15-24 15.1.13 restrict-access .............................................................................................................................................................................................15-25 15.1.14 snmp-server ................................................................................................................................................................................................ 15-28 15.1.15 ssh ....................................................................................................................................................................................................................15-33 15.1.16 t5 ..................................................................................................................................................................................................................... 15-34 15.1.17 telnet .............................................................................................................................................................................................................. 15-36 15.1.18 user ..................................................................................................................................................................................................................15-37 15.1.19 service ............................................................................................................................................................................................................ 15-41 Chapter 16, RADIUS-POLICY 16.1 radius-group ................................................................................................................................................................................................................16-2 16.1.1 guest ....................................................................................................................................................................................................................16-4 16.1.2 policy ..................................................................................................................................................................................................................16-5 16.1.3 rate-limit ...........................................................................................................................................................................................................16-9 16.1.4 no .......................................................................................................................................................................................................................16-10 16.2 radius-server-policy .............................................................................................................................................................................................. 16-12 16.2.1 authentication .............................................................................................................................................................................................. 16-14 Access Point, Wireless Controller and Service Platform CLI Reference Guide xi Contents 16.2.2 bypass ............................................................................................................................................................................................................. 16-16 16.2.3 chase-referral .............................................................................................................................................................................................. 16-17 16.2.4 crl-check ........................................................................................................................................................................................................ 16-18 16.2.5 ldap-agent .................................................................................................................................................................................................... 16-19 16.2.6 ldap-group-verification ........................................................................................................................................................................... 16-21 16.2.7 ldap-server ................................................................................................................................................................................................... 16-22 16.2.8 local ................................................................................................................................................................................................................ 16-25 16.2.9 nas ................................................................................................................................................................................................................... 16-26 16.2.10 no ................................................................................................................................................................................................................... 16-28 16.2.11 proxy ..............................................................................................................................................................................................................16-30 16.2.12 session-resumption ................................................................................................................................................................................ 16-32 16.2.13 termination ................................................................................................................................................................................................. 16-33 16.2.14 use ................................................................................................................................................................................................................. 16-34 16.3 radius-user-pool-policy ...................................................................................................................................................................................... 16-35 16.3.1 duration .......................................................................................................................................................................................................... 16-36 16.3.2 user ................................................................................................................................................................................................................. 16-37 16.3.3 no .....................................................................................................................................................................................................................16-40 Chapter 17, RADIO-QOS-POLICY 17.1 radio-qos-policy .........................................................................................................................................................................................................17-4 17.1.1 accelerated-multicast ................................................................................................................................................................................... 17-5 17.1.2 admission-control .........................................................................................................................................................................................17-6 17.1.3 no ....................................................................................................................................................................................................................... 17-10 17.1.4 smart-aggregation ......................................................................................................................................................................................17-12 17.1.5 service .............................................................................................................................................................................................................. 17-14 17.1.6 wmm ................................................................................................................................................................................................................ 17-16 Chapter 18, ROLE-POLICY 18.1 role-policy ....................................................................................................................................................................................................................18-2 18.1.1 default-role .......................................................................................................................................................................................................18-3 18.1.2 ldap-deadperiod ............................................................................................................................................................................................18-5 18.1.3 ldap-query .......................................................................................................................................................................................................18-6 18.1.4 ldap-server ......................................................................................................................................................................................................18-7 18.1.5 ldap-timeout ...................................................................................................................................................................................................18-9 18.1.6 no ....................................................................................................................................................................................................................... 18-10 18.1.7 user-role ............................................................................................................................................................................................................18-11 Chapter 19, SMART-RF-POLICY 19.1 smart-rf-policy ...........................................................................................................................................................................................................19-3 19.1.1 area ......................................................................................................................................................................................................................19-4 19.1.2 assignable-power .........................................................................................................................................................................................19-5 19.1.3 avoidance-time ..............................................................................................................................................................................................19-6 19.1.4 channel-list ......................................................................................................................................................................................................19-8 19.1.5 channel-width .................................................................................................................................................................................................19-9 19.1.6 coverage-hole-recovery ........................................................................................................................................................................... 19-11 19.1.7 enable .............................................................................................................................................................................................................. 19-13 19.1.8 group-by ......................................................................................................................................................................................................... 19-14 19.1.9 interference-recovery ............................................................................................................................................................................... 19-15 19.1.10 neighbor-recovery .................................................................................................................................................................................... 19-17 19.1.11 no ...................................................................................................................................................................................................................... 19-19 19.1.12 sensitivity ...................................................................................................................................................................................................... 19-21 Access Point, Wireless Controller and Service Platform CLI Reference Guide xii Contents 19.1.13 smart-ocs-monitoring ............................................................................................................................................................................ 19-23 Chapter 20, WIPS-POLICY 20.1 wips-policy ............................................................................................................................................................................................................... 20-4 20.1.1 ap-detection ..................................................................................................................................................................................................20-5 20.1.2 enable ..............................................................................................................................................................................................................20-7 20.1.3 event ............................................................................................................................................................................................................... 20-8 20.1.4 history-throttle-duration ....................................................................................................................................................................... 20-12 20.1.5 interference-event ................................................................................................................................................................................... 20-13 20.1.6 no ....................................................................................................................................................................................................................20-14 20.1.7 signature .......................................................................................................................................................................................................20-16 20.1.8 use .................................................................................................................................................................................................................20-33 Chapter 21, WLAN-QOS-POLICY 21.1 wlan-qos-policy ......................................................................................................................................................................................................... 21-2 21.1.1 accelerated-multicast ................................................................................................................................................................................... 21-3 21.1.2 classification ....................................................................................................................................................................................................21-5 21.1.3 multicast-mask ............................................................................................................................................................................................... 21-7 21.1.4 no .........................................................................................................................................................................................................................21-8 21.1.5 qos .......................................................................................................................................................................................................................21-9 21.1.6 rate-limit ......................................................................................................................................................................................................... 21-10 21.1.7 svp-prioritization ..........................................................................................................................................................................................21-13 21.1.8 voice-prioritization ..................................................................................................................................................................................... 21-14 21.1.9 wmm .................................................................................................................................................................................................................21-15 Chapter 22, L2TPV3-POLICY 22.1 l2tpv3-policy-commands .....................................................................................................................................................................................22-3 22.1.1 cookie-size ......................................................................................................................................................................................................22-5 22.1.2 failover-delay ................................................................................................................................................................................................22-6 22.1.3 force-l2-path-recovery ............................................................................................................................................................................. 22-7 22.1.4 hello-interval .................................................................................................................................................................................................22-8 22.1.5 no .......................................................................................................................................................................................................................22-9 22.1.6 reconnect-attempts ................................................................................................................................................................................. 22-10 22.1.7 reconnect-interval ......................................................................................................................................................................................22-11 22.1.8 retry-attempts .............................................................................................................................................................................................22-12 22.1.9 retry-interval ................................................................................................................................................................................................22-13 22.1.10 rx-window-size ......................................................................................................................................................................................... 22-14 22.1.11 tx-window-size ...........................................................................................................................................................................................22-15 22.2 l2tpv3-tunnel-commands ................................................................................................................................................................................. 22-16 22.2.1 establishment-criteria ..............................................................................................................................................................................22-17 22.2.2 fast-failover ................................................................................................................................................................................................ 22-19 22.2.3 hostname .................................................................................................................................................................................................... 22-20 22.2.4 local-ip-address .........................................................................................................................................................................................22-21 22.2.5 mtu .................................................................................................................................................................................................................22-22 22.2.6 no ....................................................................................................................................................................................................................22-23 22.2.7 peer ............................................................................................................................................................................................................... 22-24 22.2.8 router-id ...................................................................................................................................................................................................... 22-28 22.2.9 session ......................................................................................................................................................................................................... 22-29 22.2.10 use .................................................................................................................................................................................................................22-31 22.3 l2tpv3-manual-session-commands ..............................................................................................................................................................22-32 22.3.1 local-cookie ................................................................................................................................................................................................ 22-34 Access Point, Wireless Controller and Service Platform CLI Reference Guide xiii Contents 22.3.2 local-ip-address ........................................................................................................................................................................................22-35 22.3.3 local-session-id ........................................................................................................................................................................................ 22-36 22.3.4 mtu .................................................................................................................................................................................................................22-37 22.3.5 no ................................................................................................................................................................................................................... 22-38 22.3.6 peer ............................................................................................................................................................................................................... 22-39 22.3.7 remote-cookie ..........................................................................................................................................................................................22-40 22.3.8 remote-session-id .................................................................................................................................................................................... 22-41 22.3.9 traffic-source ............................................................................................................................................................................................ 22-42 Chapter 23, ROUTER-MODE COMMANDS 23.1 router-mode ..............................................................................................................................................................................................................23-2 23.1.1 area ....................................................................................................................................................................................................................23-3 23.1.2 auto-cost .......................................................................................................................................................................................................23-12 23.1.3 default-information ...................................................................................................................................................................................23-13 23.1.4 ip ...................................................................................................................................................................................................................... 23-14 23.1.5 network ..........................................................................................................................................................................................................23-15 23.1.6 ospf ................................................................................................................................................................................................................. 23-16 23.1.7 passive ............................................................................................................................................................................................................23-17 23.1.8 redistribute .................................................................................................................................................................................................. 23-18 23.1.9 route-limit .................................................................................................................................................................................................... 23-19 23.1.10 router-id .......................................................................................................................................................................................................23-21 23.1.11 no .....................................................................................................................................................................................................................23-22 Chapter 24, ROUTING-POLICY 24.1 routing-policy-commands ...................................................................................................................................................................................24-2 24.1.1 apply-to-local-packets ..............................................................................................................................................................................24-3 24.1.2 logging ............................................................................................................................................................................................................24-4 24.1.3 route-map ......................................................................................................................................................................................................24-5 24.1.4 route-map-mode ........................................................................................................................................................................................24-8 24.1.5 use ................................................................................................................................................................................................................... 24-18 24.1.6 no .................................................................................................................................................................................................................... 24-19 Chapter 25, AAA-TACACS-POLICY 25.1 aaa-tacacs-policy ....................................................................................................................................................................................................25-2 25.1.1 accounting ......................................................................................................................................................................................................25-3 25.1.2 authentication ..............................................................................................................................................................................................25-6 25.1.3 authorization .................................................................................................................................................................................................25-9 25.1.4 no ......................................................................................................................................................................................................................25-12 Chapter 26, MESHPOINT 26.1 meshpoint-config-instance .................................................................................................................................................................................26-2 26.1.1 allowed-vlans .................................................................................................................................................................................................26-4 26.1.2 beacon-format .............................................................................................................................................................................................26-5 26.1.3 control-vlan ...................................................................................................................................................................................................26-6 26.1.4 data-rates ......................................................................................................................................................................................................26-7 26.1.5 description .................................................................................................................................................................................................... 26-11 26.1.6 force ............................................................................................................................................................................................................... 26-12 26.1.7 meshid ........................................................................................................................................................................................................... 26-13 26.1.8 neighbor ....................................................................................................................................................................................................... 26-14 26.1.9 no ..................................................................................................................................................................................................................... 26-15 26.1.10 root ............................................................................................................................................................................................................... 26-17 Access Point, Wireless Controller and Service Platform CLI Reference Guide xiv Contents 26.1.11 security-mode ............................................................................................................................................................................................ 26-19 26.1.12 service .........................................................................................................................................................................................................26-20 26.1.13 shutdown .................................................................................................................................................................................................... 26-21 26.1.14 use ................................................................................................................................................................................................................ 26-22 26.1.15 wpa2 ............................................................................................................................................................................................................ 26-23 26.2 meshpoint-qos-policy-config-instance ...................................................................................................................................................... 26-26 26.2.1 accelerated-multicast ............................................................................................................................................................................ 26-27 26.2.2 no ................................................................................................................................................................................................................... 26-29 26.2.3 rate-limit .....................................................................................................................................................................................................26-30 26.3 meshpoint-device-config-instance .............................................................................................................................................................. 26-34 26.3.1 meshpoint-device .................................................................................................................................................................................... 26-35 26.3.2 meshpoint-device-commands .......................................................................................................................................................... 26-37 Chapter 27, PASSPOINT POLICY 27.1 passpoint-policy ...................................................................................................................................................................................................... 27-2 27.1.1 3gpp ................................................................................................................................................................................................................... 27-3 27.1.2 access-network-type .................................................................................................................................................................................27-4 27.1.3 connection-capability ................................................................................................................................................................................27-5 27.1.4 domain-name ............................................................................................................................................................................................... 27-7 27.1.5 hessid ...............................................................................................................................................................................................................27-8 27.1.6 internet ............................................................................................................................................................................................................27-9 27.1.7 ip-address-type ......................................................................................................................................................................................... 27-10 27.1.8 nai-realm ........................................................................................................................................................................................................27-12 27.1.9 net-auth-type ..............................................................................................................................................................................................27-18 27.1.10 no ................................................................................................................................................................................................................... 27-19 27.1.11 operator ....................................................................................................................................................................................................... 27-20 27.1.12 osu ...................................................................................................................................................................................................................27-21 27.1.13 roam-consortium ......................................................................................................................................................................................27-31 27.1.14 venue ............................................................................................................................................................................................................27-32 27.1.15 wan-metrics .............................................................................................................................................................................................. 27-36 Chapter 28, BORDER GATEWAY PROTOCOL 28.1 bgp-ip-prefix-list-config commands ...............................................................................................................................................................28-2 28.1.1 deny ...................................................................................................................................................................................................................28-4 28.1.2 permit ..............................................................................................................................................................................................................28-5 28.1.3 no .......................................................................................................................................................................................................................28-6 28.2 bgp-ip-access-list-config commands ............................................................................................................................................................28-7 28.2.1 deny ..................................................................................................................................................................................................................28-8 28.2.2 permit .............................................................................................................................................................................................................28-9 28.2.3 no ....................................................................................................................................................................................................................28-10 28.3 bgp-as-path-list-config commands ...............................................................................................................................................................28-11 28.3.1 deny ................................................................................................................................................................................................................ 28-12 28.3.2 permit ........................................................................................................................................................................................................... 28-13 28.3.3 no .................................................................................................................................................................................................................... 28-14 28.4 bgp-community-list-config commands ..................................................................................................................................................... 28-15 28.4.1 deny .................................................................................................................................................................................................................28-17 28.4.2 permit ........................................................................................................................................................................................................... 28-19 28.4.3 no ................................................................................................................................................................................................................... 28-21 28.5 bgp-extcommunity-list-config commands .............................................................................................................................................. 28-22 28.5.1 deny ............................................................................................................................................................................................................... 28-23 28.5.2 permit .......................................................................................................................................................................................................... 28-25 28.5.3 no ................................................................................................................................................................................................................... 28-27 Access Point, Wireless Controller and Service Platform CLI Reference Guide xv Contents 28.6 bgp-route-map-config commands ............................................................................................................................................................. 28-28 28.6.1 description ..................................................................................................................................................................................................28-30 28.6.2 match ............................................................................................................................................................................................................ 28-31 28.6.3 no ................................................................................................................................................................................................................... 28-34 28.6.4 set ................................................................................................................................................................................................................. 28-35 28.7 bgp-router-config commands ....................................................................................................................................................................... 28-39 28.7.1 aggregate-address ................................................................................................................................................................................... 28-41 28.7.2 asn ................................................................................................................................................................................................................. 28-42 28.7.3 bgp ................................................................................................................................................................................................................ 28-43 28.7.4 bgp-route-limit ........................................................................................................................................................................................28-48 28.7.5 distance .......................................................................................................................................................................................................28-49 28.7.6 ip ....................................................................................................................................................................................................................28-50 28.7.7 network ........................................................................................................................................................................................................ 28-51 28.7.8 no ................................................................................................................................................................................................................... 28-52 28.7.9 route-redistribute ................................................................................................................................................................................... 28-53 28.7.10 timers ......................................................................................................................................................................................................... 28-55 28.8 bgp-neighbor-config commands ................................................................................................................................................................. 28-56 28.8.1 activate ......................................................................................................................................................................................................... 28-59 28.8.2 advertisement-interval .........................................................................................................................................................................28-60 28.8.3 allowas-in .................................................................................................................................................................................................... 28-61 28.8.4 attribute-unchanged ............................................................................................................................................................................. 28-62 28.8.5 capability .................................................................................................................................................................................................... 28-63 28.8.6 default-originate .....................................................................................................................................................................................28-64 28.8.7 description ................................................................................................................................................................................................. 28-65 28.8.8 disable-connected-check ....................................................................................................................................................................28-66 28.8.9 dont-capability-negotiate ................................................................................................................................................................... 28-67 28.8.10 ebgp-multihop ....................................................................................................................................................................................... 28-68 28.8.11 enforce-multihop ....................................................................................................................................................................................28-69 28.8.12 local-as .......................................................................................................................................................................................................28-70 28.8.13 maximum-prefix ......................................................................................................................................................................................28-71 28.8.14 next-hop-self .......................................................................................................................................................................................... 28-72 28.8.15 no ................................................................................................................................................................................................................. 28-73 28.8.16 override-capability ............................................................................................................................................................................... 28-74 28.8.17 passive ....................................................................................................................................................................................................... 28-75 28.8.18 password .................................................................................................................................................................................................. 28-76 28.8.19 peer-group ................................................................................................................................................................................................28-77 28.8.20 port ............................................................................................................................................................................................................ 28-78 28.8.21 remote-as ................................................................................................................................................................................................. 28-79 28.8.22 remove-private-as ...............................................................................................................................................................................28-80 28.8.23 route-server-client ................................................................................................................................................................................ 28-81 28.8.24 send-community .................................................................................................................................................................................. 28-82 28.8.25 shutdown ................................................................................................................................................................................................. 28-83 28.8.26 soft-reconfiguration ............................................................................................................................................................................28-84 28.8.27 strict-capability-match ....................................................................................................................................................................... 28-85 28.8.28 timers ........................................................................................................................................................................................................ 28-86 28.8.29 unsuppress-map ................................................................................................................................................................................... 28-88 28.8.30 update-source ....................................................................................................................................................................................... 28-89 28.8.31 use ...............................................................................................................................................................................................................28-90 28.8.32 weight ........................................................................................................................................................................................................ 28-91 Chapter 29, CRYPTO-CMP-POLICY 29.1 crypto-cmp-policy-instance ...............................................................................................................................................................................29-2 29.1.1 ca-server ..........................................................................................................................................................................................................29-3 Access Point, Wireless Controller and Service Platform CLI Reference Guide xvi Contents 29.1.2 cert-key-size .................................................................................................................................................................................................29-5 29.1.3 cert-renewal-timeout ................................................................................................................................................................................29-6 29.1.4 cross-cert-validate .....................................................................................................................................................................................29-7 29.1.5 subjectAltName ...........................................................................................................................................................................................29-8 29.1.6 trustpoint .......................................................................................................................................................................................................29-9 29.1.7 use .................................................................................................................................................................................................................... 29-11 29.1.8 no ..................................................................................................................................................................................................................... 29-12 29.2 other-cmp-related-commands ...................................................................................................................................................................... 29-13 29.2.1 use ................................................................................................................................................................................................................... 29-14 29.2.2 show .............................................................................................................................................................................................................. 29-15 Chapter 30, ROAMING ASSIST POLICY 30.1 roaming-assist-policy-instance .........................................................................................................................................................................30-2 30.1.1 action ................................................................................................................................................................................................................30-3 30.1.2 aggressiveness ........................................................................................................................................................................................... 30-4 30.1.3 detection-threshold ...................................................................................................................................................................................30-5 30.1.4 disassoc-time .............................................................................................................................................................................................. 30-6 30.1.5 handoff-count ..............................................................................................................................................................................................30-7 30.1.6 handoff-threshold ..................................................................................................................................................................................... 30-8 30.1.7 monitoring-interval ................................................................................................................................................................................... 30-9 30.1.8 sampling-interval ......................................................................................................................................................................................30-10 30.1.9 no ..................................................................................................................................................................................................................... 30-11 Appendix A, CONTROLLER MANAGED WLAN USE CASE A.1 Creating a First Controller Managed WLAN .....................................................................................................................................................A-1 A.1.1 Assumptions .......................................................................................................................................................................................................A-1 A.1.2 Design ..................................................................................................................................................................................................................A-2 A.1.3 Using the Command Line Interface to Configure the WLAN .......................................................................................................A-2 Appendix B, PUBLICLY AVAILABLE SOFTWARE B.1 General Information .................................................................................................................................................................................................... B-1 B.2 Open Source Software Used .................................................................................................................................................................................B-2 B.3 OSS Licenses ..............................................................................................................................................................................................................B-15 B.3.1 Apache License, Version 2.0 .....................................................................................................................................................................B-15 B.3.2 The BSD License ............................................................................................................................................................................................B-17 B.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 ............................................................................................. B-18 B.3.4 DropBear License ........................................................................................................................................................................................B-23 B.3.5 GNU General Public License, version 2 ...............................................................................................................................................B-25 B.3.6 GNU GENERAL PUBLIC LICENSE ........................................................................................................................................................ B-26 B.3.7 GNU Lesser General Public License 2.1 ............................................................................................................................................... B-30 B.3.8 CCO 1.0 Universal .........................................................................................................................................................................................B-37 B.3.9 GNU General Public License, version 3 .............................................................................................................................................. B-39 B.3.10 ISC License ................................................................................................................................................................................................... B-48 B.3.11 GNU Lesser General Public License, version 3.0 ............................................................................................................................ B-48 B.3.12 GNU General Public License 2.0 ...........................................................................................................................................................B-51 B.3.13 GNU Lesser General Public License, version 2.0 ............................................................................................................................B-57 B.3.14 GNU Lesser General Public License, version 2.1 ............................................................................................................................ B-63 B.3.15 GNU LESSER GENERAL PUBLIC LICENSE ...................................................................................................................................... B-65 B.3.16 MIT License .................................................................................................................................................................................................. B-69 B.3.17 Mozilla Public License, version 2 .......................................................................................................................................................... B-70 B.3.18 The Open LDAP Public License ........................................................................................................................................................... B-74 Access Point, Wireless Controller and Service Platform CLI Reference Guide xvii Contents B.3.19 OpenSSL License ........................................................................................................................................................................................B-75 B.3.20 WU-FTPD Software License ................................................................................................................................................................ B-76 B.3.21 zlib License ....................................................................................................................................................................................................B-77 B.3.22 Python License, Version 2 (Python-2.0) ......................................................................................................................................... B-78 B.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 ........................................................................................................ B-78 B.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1) .......................................................................................... B-79 B.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 ...........................................................................................B-80 B.3.26 Zope Public License (ZPL) Version 2.0 ............................................................................................................................................ B-81 B.3.27 Zope Public License (ZPL) Version 2.1 ............................................................................................................................................. B-82 Access Point, Wireless Controller and Service Platform CLI Reference Guide xviii ABOUT THIS GUIDE This manual supports the following wireless controllers, service platformss, and access points:

Wireless Controllers RFS4000, RFS6000 Service Platformss NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432, AP8533 NOTE: In this document AP8122, AP8132, AP8163 are collectively referred to as AP81XX. CAUTION: To configure a WE access point, exclusively use the WE UI. Do not use the command line interface (CLI) along with it. Similarly, when using the CLI to configure the WE access point, do not use the WE UI along with it. A simplified version of the WiNG operating system user interface (UI) is available on the following access point and service platforms models:

AP6521E, AP6522E, AP6562E, AP7502E, AP7522E, AP7532E, AP7562E, AP7602, AP7612, AP7632, AP7662 NX5500E, NX7510E, and VX9000E This new WiNG Express (WE) UI, simplifies configuration and monitoring of small access point deployments by limiting monitoring, analytics, and configuration capabilities. The WE UI is designed for single-site access point deployments not exceeding more than 24 access points of the same model. This section is organized into the following topics:

Document Conventions Notational Conventions End-User Software License Agreement Access Point, Wireless Controller and Service Platform CLI Reference Guide i ABOUT THIS GUIDE Document Conventions The following conventions are used in this document to draw your attention to important information:

NOTE: Indicates tips or special requirements.

!

CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Switch Note: Indicates caveats unique to a RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, or NX9600 model controller. Notational Conventions The following notational conventions are used in this document:

Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents Bullets () indicate:

lists of alternatives lists of required steps that are not necessarily sequential action items

-

-

-

Sequential lists (those describing step-by-step procedures) appear as numbered lists Understanding Command Syntax

<variable>

Variables are described with a short description enclosed within a

< and a > pair. For example, the command, nx9500-6C8809>show interface ge 1 is documented as:

show interface ge <1-2>

where:

show is the command displays information interface is the keyword represents the interface type

<1-2> is the variable represents the ge interface index value Access Point, Wireless Controller and Service Platform CLI Reference Guide ii

|

[]

ABOUT THIS GUIDE The pipe symbol. This is used to separate the variables/keywords in a list. For example, the command, nx9500-6C8809> show ..... is documented as:

show [adoption|bluetooth|bonjour|boot|

...... where:

show is the command displays information

[adoption|bluetooth|bonjour|boot|.......] indicates the different keywords that can be combined with the show command. However, only one of the above option can be used at a time. show adoption ... show bluetooth ... show bonjour ... Of the different keywords and variables listed inside a [ & ] pair, only one can be used. Each choice in the list is separated with a |

(pipe) symbol. For example, the command, nx9500-6C8809#clear ... is documented as:

clear [arp-cache|bonjour|cdp|counters|crypto|

event-history|firewall|gre|ip|ipv6|l2tpv3-

stats|lacp|license|lldp|logging|mac-address-

table|mint|role|rtls|spanning-tree|traffic-

shape|vrrp]

where:

clear is the command

[arp-cache|cdp|bonjour|counters|crypto|event-history|firewall|

gre|ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-

table|mint|role|rtls|spanning-tree|traffic-shape|vrrp] indicates that these keywords are available for this command. However, only one can be used at a time. Access Point, Wireless Controller and Service Platform CLI Reference Guide iii ABOUT THIS GUIDE

{ }

command / keyword

() Any command/keyword/variable or a combination of them inside a { &} pair is optional. All optional commands follow the same conventions as listed above. However, they are displayed italicized. For example, the command, nx9500-6C8809> show adoption .... is documented as:

show adoption info {on <DEVICE-NAME>}

here:

show adoption info is the command. This command can also be used as:

show adoption info The command can also be extended as:

show adoption info {on <DEVICE-NAME>}

here:

{on <DEVICE-NAME>} is the keyword, which is optional. The first word is always a command. Keywords are words that must be entered as is. Commands and keywords are mandatory. For example, the command, nx9500-6C8809>show wireless is documented as:

show wireless where:

show is the command wireless is the keyword Any command/keyword/variable or a combination of them inside a ( & ) pair are recursive. All recursive commands can be listed in any order and can be used once along with the rest of the commands. For example, the command, crypto pki export request generate-rsa-key test autogen-subject-name ... is documented as:

nx9500-6C8809#crypto pki export request generate-rsa-key test autogen-subject-name

(<URL>,email <EMAIL>,fqdn <FQDN>,ip-address

<IP>) here:

crypto pki export request generate-rsa-key <RSA-KEYPAIR-

NAME> auto-gen-subject-name is the command

<RSA-KEYPAIR-NAME> is the RSA keypair name (in this example, the keypair name is test), and is a variable

(<URL>,email <EMAIL>,fqdn <FQDN>,ip-address <IP>) is the set of recursive parameters (separated by commas) that can be used in any order. Access Point, Wireless Controller and Service Platform CLI Reference Guide iv ABOUT THIS GUIDE End-User Software License Agreement This document is an agreement (Agreement) between You, the end user, and Extreme Networks, Inc., on behalf of itself and its Affiliates (Extreme) that sets forth your rights and obligations with respect to the Licensed Materials. BY INSTALLING SOFTWARE AND/OR THE LICENSE KEY FOR THE SOFTWARE

(License Key) (collectively, Licensed Software), IF APPLICABLE, COPYING, OR OTHERWISE USING THE LICENSED SOFTWARE AND/OR ANY OF THE LICENSED MATERIALS UNDER THIS AGREEMENT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE(S) AND THE LIMITATION(S) OF WARRANTY AND DISCLAIMER(S)/LIMITATION(S) OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE LICENSE KEY (IF APPLICABLE) TO EXTREME OR YOUR DEALER, IF ANY, OR DO NOT USE THE LICENSED SOFTWARE AND/OR LICENSED MATERIALS AND CONTACT EXTREME OR YOUR DEALER WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT TO ARRANGE FOR A REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT EXTREME, Attn: LegalTeam@extremenetworks.com. 1 DEFINITIONS. Affiliates means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. Server Application means the software application associated to software authorized for installation (per License Key, if applicable) on one or more of Your servers as further defined in the Ordering Documentation. Client Application shall refer to the application to access the Server Application. Network Device for purposes of this Agreement shall mean a physical computer device, appliance, appliance component, controller, wireless access point, or virtual appliance as further described within the applicable product documentation, which includes the Order Documentation. Licensed Materials means the Licensed Software (including the Server Application and Client Application), Network Device (if applicable), Firmware, media embodying software, and the accompanying documentation. Concurrent User shall refer to any of Your individual employees who You provide access to the Server Application at any one time. Firmware refers to any software program or code embedded in chips or other media. Standalone software is software licensed for use independent of any hardware purchase as identified in the Ordering Documentation. Licensed Software collectively refers to the software, including Standalone software, Firmware, Server Application, Client Application or other application licensed with conditional use parameters as defined in the Ordering Documentation. Ordering Documentation shall mean the applicable price quotation, corresponding purchase order, relevant invoice, order acknowledgement, and accompanying documentation or specifications for the products and services purchased, acquired or licensed hereunder from Extreme either directly or indirectly. 2 TERM. This Agreement is effective from the date on which You accept the terms and conditions of this Agreement via click-through, commence using the products and services or upon delivery of the License Key if applicable, and shall be effective until terminated. In the case of Licensed Materials offered on a subscription basis, the term of licensed use shall be as defined within Your Ordering Documentation. 3 GRANT OF LICENSE. Extreme will grant You a non-transferable, non-sublicensable, non-exclusive license to use the Licensed Materials and the accompanying documentation for Your own business purposes subject to the terms and conditions of this Agreement, applicable licensing restrictions, and any term, user server networking device, field of use, or other restrictions as set forth in Your Ordering Documentation. If the Licensed Materials are being licensed on a subscription and/or capacity basis, the applicable term and/or capacity limit of the license shall be specified in Your Ordering Documentation. You may install and use the Licensed Materials as permitted by the license type purchased as described below in License Types. The license type purchased is specified on the invoice issued to You by Extreme Access Point, Wireless Controller and Service Platform CLI Reference Guide v ABOUT THIS GUIDE or Your dealer, if any. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT. 4 LICENSE TYPES. Single User, Single Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials as bundled with a single Network Device as identified by a unique serial number for the applicable Term, if and as specified in Your Ordering Documentation, or any replacement for that network device for that same Term, for internal use only. A separate license, under a separate License Agreement, is required for any other network device on which You or another individual, employee or other third party intend to use the Licensed Materials. A separate license under a separate License Agreement is also required if You wish to use a Client license (as described below). Single User, Multiple Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials with a defined amount of Network Devices as defined in the Ordering Documentation. Client. Under the terms of the Client license, the license granted to You by Extreme will authorize You to install the License Key for the Licensed Materials on your server and allow the specific number of Concurrent Users as ordered by you and is set forth in Your Ordering Documentation. A separate license is required for each additional Concurrent User. Standalone. Software or other Licensed Materials licensed to You for use independent of any Network Device. Subscription. Licensed Materials, and inclusive Software, Network Device or related appliance updates and maintenance services, licensed to You for use during a subscription period as defined in Your applicable Ordering Documentation. Capacity. Under the terms of this license, the license granted to You by Extreme authorizes You to use the Licensed Materials up to the amount of capacity or usage as defined in the Ordering Documentation. 5 AUDIT RIGHTS. You agree that Extreme may audit Your use of the Licensed Materials for compliance with these terms and Your License Type at any time, upon reasonable notice. In the event that such audit reveals any use of the Licensed Materials by You other than in full compliance with the license granted and the terms of this Agreement, Extreme reserves the right to charge You for all reasonable expenses related to such audit in addition to any other liabilities and overages applicable as a result of such non-compliance, including but not limited to additional fees for Concurrent Users, excess capacity or usage over and above those specifically granted to You. From time to time, the Licensed Materials may upload information about the Licensed Materials and the associated usage to Extreme. This is to verify the Licensed Materials are being used in accordance with a valid license and/or entitlement. By using the Licensed Materials, you consent to the transmission of this information. 6 RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse engineer the Licensed Materials, including the Licensed Software, or to translate the Licensed Materials into another computer language. The media embodying the Licensed Materials may be copied by You, in whole or in part, into printed or machine readable form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Extreme prior written consent, and in no event shall You operate more copies of the Licensed Software than the specific licenses granted to You. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the location of the original media and all copies of the Licensed Software, in whole or in part, made by You. Any portion of the Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall remain subject to Access Point, Wireless Controller and Service Platform CLI Reference Guide vi ABOUT THIS GUIDE all the terms and conditions of this Agreement. You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software or any such modular work containing the Licensed Software or any part thereof. 7 TITLE AND PROPRIETARY RIGHTS a The Licensed Materials are copyrighted works and are the sole and exclusive property of Extreme, any company or a division thereof which Extreme controls or is controlled by, or which may result from the merger or consolidation with Extreme (its Affiliates), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party. b You further acknowledge that in the event of a breach of this Agreement, Extreme shall suffer severe and irreparable damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach of this Agreement, Extreme shall be entitled to monetary damages and its reasonable attorneys fees and costs in enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available to Extreme. 8 PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your employees and agents may have access to private or confidential information owned or controlled by Extreme relating to the Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or agents under this Agreement or in contemplation hereof shall be and shall remain Extreme exclusive property, and You shall use all commercially reasonable efforts to keep, and have your employees and agents keep, any and all such information and data confidential, and shall not copy, publish, or disclose it to others, without Extreme prior written approval, and shall return such information and data to Extreme at its request. Nothing herein shall limit your use or dissemination of information not actually derived from Extreme or of information which has been or subsequently is made public by Extreme, or a third party having authority to do so. You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Extreme or its employees, except for purposes specifically related to your use of the Licensed Materials on a single computer as expressly provided in this Agreement, without the prior written consent of Extreme. You acknowledge that the Licensed Materials contain valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Extreme or its Affiliates and/or its/their software suppliers. 9 MAINTENANCE AND UPDATES. Except as otherwise defined below, updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of an Extreme Service and Maintenance Agreement, if Extreme and You enter into such an agreement. Except as specifically set forth in such agreement, Extreme shall not be under any obligation to provide updates, modifications, or enhancements, or maintenance and support services for the Licensed Materials to You. If you have purchased Licensed Materials on a subscription basis then the applicable service terms for Your Licensed Materials are as provided in Your Ordering Documentation. Extreme will perform the maintenance and updates in a timely and professional manner, during the Term of Your subscription, using qualified and experienced personnel. You will cooperate in good faith with Extreme in the performance of the support services including, but not limited to, providing Extreme with: (a) access to the Extreme Licensed Materials (and related systems); and (b) reasonably requested assistance and Access Point, Wireless Controller and Service Platform CLI Reference Guide vii ABOUT THIS GUIDE information. Further information about the applicable maintenance and updates terms can be found on Extremes website at http://www.extremenetworks.com/company/legal/terms-of-support 10 DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this Agreement, including a failure to pay any sums due to Extreme, or in the event that you become insolvent or seek protection, voluntarily or involuntarily, under any bankruptcy law, Extreme may, in addition to any other remedies it may have under law, terminate the License and any other agreements between Extreme and You. a Immediately after any termination of the Agreement, Your licensed subscription term, or if You have for any reason discontinued use of Licensed Materials, You shall return to Extreme the original and any copies of the Licensed Materials and remove the Licensed Materials, including an Licensed Software, from any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned to Extreme. b Sections 1, 7, 8, 10, 11, 12, 13, 14 and 15 shall survive termination of this Agreement for any reason. 11 EXPORT REQUIREMENTS. You are advised that the Licensed Materials, including the Licensed Software is of United States origin and subject to United States Export Administration Regulations; diversion contrary to United States law and regulation is prohibited. You agree not to directly or indirectly export, import or transmit the Licensed Materials, including the Licensed Software to any country, end user or for any Use that is prohibited by applicable United States regulation or statute (including but not limited to those countries embargoed from time to time by the United States government); or contrary to the laws or regulations of any other governmental entity that has jurisdiction over such export, import, transmission or Use. 12 UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private expense; (ii) contain restricted computer software submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Extreme and/or its suppliers. For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. 13 LIMITED WARRANTY AND LIMITATION OF LIABILITY. Extreme warrants to You that (a) the initially-

shipped version of the Licensed Materials will materially conform to the Documentation; and (b) the media on which the Licensed Software is recorded will be free from material defects for a period of ninety (90) days from the date of delivery to You or such other minimum period required under applicable law. Extreme does not warrant that Your use of the Licensed Materials will be error-free or uninterrupted. NEITHER EXTREME NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. IN NO EVENT WILL EXTREME OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED MATERIALS, TO ANY PARTY EVEN IF EXTREME OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL Access Point, Wireless Controller and Service Platform CLI Reference Guide viii ABOUT THIS GUIDE EXTREME OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS. Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited warranty gives You specific legal rights, and You may also have other rights which vary from state to state. 14 JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in accordance with the laws and in the State and Federal courts of the State of California, without regard to its rules with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement. 15 FREE AND OPEN SOURCE SOFTWARE. Portions of the Software (Open Source Software) provided to you may be subject to a license that permits you to modify these portions and redistribute the modifications (an Open Source License). Your use, modification and redistribution of the Open Source Software are governed by the terms and conditions of the applicable Open Source License. More details regarding the Open Source Software and the applicable Open Source Licenses are available at www.extremenetworks.com/services/SoftwareLicensing.aspx. Some of the Open Source software may be subject to the GNU General Public License v.x (GPL) or the Lesser General Public Library (LGPL), copies of which are provided with the Licensed Materials and are further available for review at www.extremenetworks.com/services/SoftwareLicensing.aspx, or upon request as directed herein. In accordance with the terms of the GPL and LGPL, you may request a copy of the relevant source code. See the Software Licensing web site for additional details. This offer is valid for up to three years from the date of original download of the software. 16 GENERAL. a This Agreement is the entire agreement between Extreme and You regarding the Licensed Materials, and all prior agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and canceled. b This Agreement may not be changed or amended except in writing signed by both parties hereto. c You represent that You have full right and/or authorization to enter into this Agreement. d This Agreement shall not be assignable by You without the express written consent of Extreme. The rights of Extreme and Your obligations under this Agreement shall inure to the benefit of Extreme assignees, licensors, and licensees. e Section headings are for convenience only and shall not be considered in the interpretation of this Agreement f The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall nevertheless be binding on and enforceable by and between the parties hereto g Extremes waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement. Access Point, Wireless Controller and Service Platform CLI Reference Guide ix ABOUT THIS GUIDE h Should You have any questions regarding this Agreement, You may contact Extreme at the address set forth below. Any notice or other communication to be sent to Extreme must be mailed by certified mail to the following address:

Extreme Networks, Inc. 16480 Via Del San Jose, CA 95119 United States Tel: +1 408-579-2800 Toll-free: +1 888-257-3000 Access Point, Wireless Controller and Service Platform CLI Reference Guide x 1 INTRODUCTION This chapter describes the commands available within a devices Command Line Interface (CLI) structure. CLI is available for wireless controllers, access points (APs), and service platforms. Access the CLI by using:

A terminal emulation program running on a computer connected to the serial port on the device

(access point, wireless controller, and service platform). A Telnet session through Secure Shell (SSH) over a network. Configuration for connecting to a Controller using a terminal emulator If connecting through the serial port, use the following settings to configure your terminal emulator:

Bits Per Second Data Bits Parity Stop Bit Flow Control 19200 For AP8533, AP8432, AP7662, AP7632, AP7622, AP7612, AP7602, AP7502, AP7522, AP7532, AP7562, AP6521, AP6522, AP6532, AP6562 model access points set this value to 115200. 8 None 1 None When a CLI session is established, complete the following (user input is in bold):

login as: <username>

administrators login password: <password>

User Credentials Use the following credentials when logging into a device for the first time:

User Name Password admin admin123 When logging into the CLI for the first time, you are prompted to change the password. Examples in this reference guide Examples used in this reference guide are generic to each supported wireless controller, service platform, and AP model. Commands that are not common, are identified using the notation Supported in the following platforms: For an example, see below:

Supported in the following platforms:

Wireless Controller RFS6000 The above example indicates the command is only available for an RFS6000 model wireless controller. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 1 INTRODUCTION This chapter is organized into the following sections:

CLI Overview Getting Context Sensitive Help Using the No Command Using CLI Editing Features and Shortcuts Using CLI to Create Profiles and Enable Remote Administration 1.1 CLI Overview INTRODUCTION The CLI is used for configuring, monitoring, and maintaining the network. The user interface allows you to execute commands on supported wireless controllers, service platforms, and APs, using either a serial console or a remote access method. This chapter describes basic CLI features. Topics covered include an introduction to command modes, navigation and editing features, help features and command history. The CLI is segregated into different command modes. Each mode has its own set of commands for configuration, maintenance, and monitoring. The commands available at any given time depend on the mode you are in, and to a lesser extent, the particular model used. Enter a question mark (?) at the system prompt to view a list of commands available for each command mode/instance. Use specific commands to navigate from one command mode to another. The standard order is: USER EXEC mode, PRIV EXEC mode and GLOBAL CONFIG mode. Command Modes Figure 1-1 Hierarchy of User Modes A session generally begins in the USER EXEC mode (one of the two access levels of the EXEC mode). For security, only a limited subset of EXEC commands are available in the USER EXEC mode. This level is Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 2 INTRODUCTION reserved for tasks that do not change the devices (wireless controller, service platform, or AP) configuration. rfs6000-6DB5D4>

The system prompt signifies the device name and the last three bytes of the device MAC address. To access commands, enter the PRIV EXEC mode (the second access level for the EXEC mode). Once in the PRIV EXEC mode, enter any EXEC command. The PRIV EXEC mode is a superset of the USER EXEC mode. rfs6000-6DB5D4>enable rfs6000-6DB5D4#

Most of the USER EXEC mode commands are one-time commands and are not saved across device reboots. Save the command by executing commit command. For example, the show command displays the current configuration and the clear command clears the interface. Access the GLOBAL CONFIG mode from the PRIV EXEC mode. In the GLOBAL CONFIG mode, enter commands that set general system characteristics. Configuration modes, allow you to change the running configuration. If you save the configuration later, these commands are stored across device reboots. Access a variety of protocol specific (or feature-specific) modes from the global configuration mode. The CLI hierarchy requires you to access specific configuration modes only through the global configuration mode. rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#

You can also access sub-modes from the global configuration mode. Configuration sub-modes define specific features within the context of a configuration mode. rfs6000-6DB5D4(config)#aaa-policy test rfs6000-6DB5D4(config-aaa-policy-test)#

The following table summarizes available CLI commands:

Table 1.1 Controller CLI Modes and Commands User Exec Mode captive-portal-page-upload change-passwd clear clock cluster commit connect create-cluster crypto crypto-cmp-cert-update database database-backup Priv Exec Mode archive boot captive-portal-page-upload cd change-passwd clear clock cluster commit configure connect copy Global Configuration Mode aaa-policy aaa-tacacs-policy alias ap6521 ap6522 ap6532 ap6562 ap7161 ap7502 ap7522 ap7532 ap7562 Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 3 User Exec Mode database-restore debug device-upgrade disable enable file-sync help join-cluster l2tpv3 logging mint no on opendns page ping ping6 revert service show ssh telnet terminal time-it traceroute traceroute6 virtual-machine (supported only on NX9500, NX9600, and VX9000) watch write clrscr exit INTRODUCTION Table 1.1 Controller CLI Modes and Commands Priv Exec Mode cpe (RFS4000, RFS6000, NX9500, NX9600, VX9000) create-cluster crypto crypto-cmp-cert-update database database-backup database-restore debug delete device-upgrade diff dir disable edit enable erase ex3500 factory-reset file-sync halt help join-cluster l2tpv3 logging mint mkdir more no on opendns page ping ping6 Global Configuration Mode ap7602 ap7612 ap7622 ap7632 ap7662 ap81xx (ap8122, ap8132, ap8163) ap8232 ap8432 ap8533 application application-group application-policy association-acl-policy auto-provisioning-policy bgp bonjour-gw-discovery-policy bonjour-gw-forwarding-policy bonjour-gw-query-forwarding-

policy captive-portal clear client-identity client-identity-group clone crypto-cmp-policy customize database-client-policy (supported only on VX9000 database-policy (supported only on NX9500, NX9600, and VX9000) device device-categorization dhcp-server-policy dhcp6-server-policy dns-whitelist event-system-policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 4 User Exec Mode INTRODUCTION Table 1.1 Controller CLI Modes and Commands Priv Exec Mode pwd raid (supported only on NX9500 and NX7530) re-elect reload remote-debug rename revert rmdir self service show ssh t5 (supported only on RFS4000, RFS6000, NX9500, NX9600, and VX9000) telnet terminal time-it traceroute traceroute6 upgrade upgrade-abort virtual-machine (supported only on NX9500, NX9600, and VX9000) watch write clrscr exit Global Configuration Mode ex3500 ex3500-management-policy ex3500-qos-class-map-policy ex3500-qos-policy-map ex3524 ex3548 firewall-policy global-association-list guest-management help host igmp-snoop-policy (This command has been deprecated. IGMP snooping is now configurable under the profile/

device configuration mode. For more information, see ip. inline-password-encryption ip ipv6 ipv6-router-advertisement-policy l2tpv3 mac management-policy meshpoint meshpoint-qos-policy mint-policy nac-list no nsight-policy nx5500 (supported only on NX9500, NX9600, VX9000) nx75xx (supported only on NX9500, NX9600, VX9000) nx9000 (supported only on NX9500, NX9600, VX9000) Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 5 INTRODUCTION Table 1.1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode nx9600 (supported only on NX9600) passpoint-policy password-encryption profile radio-qos-policy radius-group radius-server-policy radius-user-pool-policy rename replace rf-domain rfs4000 rfs6000 roaming-assist-policy role-policy route-map routing-policy rtl-server-policy schedule-policy self sensor-policy smart-rf-policy t5 (supported only on RFS4000, RFS6000, NX9500, NX9600, VX9000) url-filter (supported only on NX9500, NX9600, VX9000) url-list (supported only on NX9500, NX9600, VX9000) vx9000 (supported only on NX9500, and NX9600, VX9000) web-filter-policy wips-policy wlan wlan-qos-policy write clrscr Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 6 INTRODUCTION Table 1.1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode commit do end exit revert service show 1.2 Getting Context Sensitive Help INTRODUCTION Enter a question mark (?) at the system prompt to display a list of commands available for each mode. Obtain a list of arguments and keywords for any command using the CLI context-sensitive help. Use the following commands to obtain help specific to a command mode, command name, keyword or argument:

Command

(prompt)#help

(prompt)#abbreviated-command-entry?

(prompt)#abbreviated-command-entry[TAB]

(prompt)#?

(prompt)#command ?

(prompt)#command keyword ?

Description Displays a brief description of the help system Lists commands in the current mode that begin with a particular character string Completes a partial command name Lists all commands available in the command mode Lists the available syntax options (arguments and keywords) for the command Lists the next available syntax option for the command NOTE: The system prompt varies depending on the configuration mode. NOTE: Enter Ctrl + V to use ? as a regular character and not as a character used for displaying context sensitive help. This is required when the user has to enter a URL that ends with a ?

NOTE: The escape character used through out the CLI is \. To enter a "\"

use "\\" instead. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 7 INTRODUCTION When using context-sensitive help, the space (or lack of a space) before the question mark (?) is significant. To obtain a list of commands that begin with a particular sequence, enter the characters followed by a question mark (?). Do not include a space. This form of help is called word help, because it completes a word. rfs6000-6DB5D4#service?

service Service Commands rfs6000-6DB5D4#service Enter a question mark (?) (in place of a keyword or argument) to list keywords or arguments. Include a space before the ?. This form of help is called command syntax help. It shows the keywords or arguments available based on the command/keyword and argument already entered. rfs6000-6DB5D4#service ?

block-adopter-config-update Block configuration updates from the bluetooth Bluetooth service commands clear Clear adoption history cli-tables-skin Choose a formatting layout/skin for CLI tabular outputs (EXPERIMENTAL-Applies only to certain commands) cluster Cluster Protocol copy Copy files or directories delete Delete sessions delete-offline-aps Delete Access Points that are configured but offline force-send-config Resend configuration to the device force-update-vm-stats Force VM statistics to be pushed up to the NOC load-balancing Wireless load-balancing service commands load-ssh-authorized-keys Load Ssh authorized keys locator Enable leds flashing on the device mint MiNT protocol pktcap Start packet capture pm Process Monitor radio Radio parameters radius Radius test request-full-config-from-adopter Request full configuration from the adopter set Set global options show Show running system information signal Send a signal to a process smart-rf Smart-RF Management Commands snmp Snmp ssm Command related to ssm start-shell Provide shell access syslog Syslog service trace Trace a process for system calls and signals troubleshoot Troubleshooting wireless Wireless commands rfs6000-6DB5D4#

It is possible to abbreviate commands and keywords to allow a unique abbreviation. For example, configure terminal can be abbreviated as config t. Since the abbreviated command is unique, the controller accepts the abbreviation and executes the command. Enter the help command (available in any command mode) to provide the following description:

rfs6000-6DB5D4>help When using the CLI, help is provided at the command line when typing '?'. If no help is available, the help content will be empty. Backup until entering a '?'

shows the help content. There are two styles of help provided:

1. Full help. Available when entering a command argument (e.g. 'show ?'). This will Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 8 INTRODUCTION describe each possible argument. 2. Partial help. Available when an abbreviated argument is entered. This will display which arguments match the input (e.g. 'show ve?'). rfs6000-6DB5D4>

1.3 Using the No Command INTRODUCTION Almost every command has a no form. Use no to disable a feature or function or return it to its default. Use the command without the no keyword to re-enable a disabled feature. 1.3.1 Basic Conventions Keep the following conventions in mind while working within the CLI structure:

Use ? at the end of a command to display the sub-modes (keywords) associated with the command. Type the first few characters of the required sub-mode and press the tab key to auto-fill. Continue using ? until you reach the last sub-mode. Pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. However (for clarity), CLI commands and keywords are displayed (in this guide) using mixed case. For example, apPolicy, trapHosts, channelInfo. Enter commands in uppercase, lowercase, or mixed case. Only passwords are case sensitive. 1.4 Using CLI Editing Features and Shortcuts INTRODUCTION A variety of shortcuts and edit features are available. The following sections describe these features:

Moving the Cursor on the Command Line Completing a Partial Command Name Command Output Pagination Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 9 INTRODUCTION 1.4.1 Moving the Cursor on the Command Line Using CLI Editing Features and Shortcuts The following table shows the key combinations or sequences to move the command line cursor. Ctrl defines the control key, which must be pressed simultaneously with its associated letter key. Esc means the escape key (which must be pressed first), followed by its associated letter key. Keys are not case sensitive. Specific letters are used to provide an easy way of remembering their functions. Table 1.2 Keystrokes Details Function Summary Back character Forward character Back word Forward word Beginning of line End of line Keystrokes Left Arrow or Ctrl-B Right Arrow or Ctrl-F Esc- B Esc- F Ctrl-A Ctrl-E Ctrl-D Ctrl-U Ctrl-K Ctrl-P Ctrl-N Esc-C Esc-L Esc-D Ctrl-W Ctrl-Z Ctrl-T Ctrl-L Function Details Moves the cursor one character to the left When entering a command that extends beyond a single line, press the Left Arrow or Ctrl-B keys repeatedly to move back to the system prompt. Moves the cursor one character to the right Moves the cursor back one word Moves the cursor forward one word Moves the cursor to the beginning of the command line Moves the cursor to the end of the command line Deletes the current character Deletes text up to cursor Deletes from the cursor to end of the line Obtains the prior command from memory Obtains the next command from memory Converts the letter at the cursor to uppercase Converts the letter at the cursor to lowercase Deletes the remainder of a word Deletes the word up to the cursor Returns to the root prompt Transposes the character to the left of the cursor with the character located at the cursor Clears the screen 1.4.2 Completing a Partial Command Name Using CLI Editing Features and Shortcuts If you cannot remember a command name (or if you want to reduce the amount of typing you have to perform), enter the first few letters of a command, then press the Tab key. The command line parser completes the command if the string entered is unique to the command mode. If your keyboard does not have a Tab key, press Ctrl-L. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 10 INTRODUCTION The CLI recognizes a command once you have entered enough characters to make the command unique. If you enter conf within the privileged EXEC mode, the CLI associates the entry with the configure command, since only the configure command begins with conf. In the following example, the CLI recognizes a unique string in the privileged EXEC mode when the Tab key is pressed:

rfs6000-6DB5D4#conf[TAB]

rfs6000-6DB5D4#configure When using the command completion feature, the CLI displays the full command name. The command is not executed until the [Return] or [Enter] key is pressed. Modify the command if the full command was not what you intended in the abbreviation. If entering a set of characters (indicating more than one command), the system lists all commands beginning with that set of characters. Enter a question mark (?) to obtain a list of commands beginning with a particular set of characters. Do not leave a space between the last letter and the question mark (?). In the following example, all commands, available in the current context, starting with the characters co are listed:

rfs6000-6DB5D4#co?

commit Commit all changes made in this session configure Enter configuration mode connect Open a console connection to a remote device copy Copy from one file to another rfs6000-6DB5D4#

NOTE: The characters entered before the question mark are reprinted to the screen to complete the command entry. 1.4.3 Command Output Pagination Using CLI Editing Features and Shortcuts Output often extends beyond the visible screen length. For cases where output continues beyond the screen, the output is paused and a

--More--

prompt displays at the bottom of the screen. To resume the output, press the [Enter] key to scroll down one line or press the Spacebar to display the next full screen of output. 1.5 Using CLI to Create Profiles and Enable Remote Administration INTRODUCTION The following sections describe the following essential procedures:

Creating Profiles Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface Enabling Remote Administration Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 11 INTRODUCTION 1.5.1 Creating Profiles Using CLI to Create Profiles and Enable Remote Administration Profiles are sort of a template representation of configuration. The system has:

a default profile for each of the following devices:

- RFS4000, RFS6000 a default profile for each of the following service platforms:

- NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 a default profile for each of the following access points:

- AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 You can modify a default profile. In the following example, an IP address is assigned to the management port on the default RFS6000 profile. rfs6000-6DB5D4(config)#profile rfs6000 default-rfs6000 rfs6000-6DB5D4(config-profile-default-rfs6000)#interface me1 rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#ip address 172.16.10.2/24 rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#commit rfs6000-6DB5D4(config-profile-default-rfs6000)#exit rfs6000-6DB5D4(config)#

The following command displays a default AP7562 profile configuration:

rfs6000-6DB5D4(config-profile-default-ap7562)#

rfs6000-6DB5D4(config-profile-default-ap7562)#show context profile ap7562 default-ap7562 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface radio1 placement outdoor interface radio2 placement outdoor interface ge1 interface ge2 interface vlan1 ip address dhcp ip address zeroconf secondary ip dhcp client request options all

--More--

rfs6000-6DB5D4(config-profile-default-ap7562)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 12 INTRODUCTION 1.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface Using CLI to Create Profiles and Enable Remote Administration Logon to the controller in config mode and follow the procedure below:

rfs6000-6DB5D4(config-profile-default-rfs6000)#interface vlan 150 rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#ip address 192.168.150.20/24 rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#exit rfs6000-6DB5D4(config-profile-default-rfs6000)#interface ge 3 rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#switchport access vlan 150 rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#commit write Please Wait .

[OK]

rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#

rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#show interface vlan 150 Interface vlan150 is UP Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D Index: 6, Metric: 1, MTU: 1500 IP-Address: 192.168.150.20/24 input packets 0, bytes 0, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 2, bytes 140, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#

1.5.2.1 Viewing Configured APs To view previously configured APs, enter the following command:

rfs6000-6DB5D4>show wireless ap configured

--------------------------------------------------------------------------------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

1 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs 00-15-70-81-74-2D 2 ap8132-74B45C B4-C7-99-74-B4-5C default-ap81xx TechPubs 00-15-70-81-74-2D 3 ap7522-8330A4 84-24-8D-83-30-A4 default-ap7522 default 00-15-70-81-74-2D 4 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx TechPubs 00-15-70-81-74-2D 5 ap8533-9A12DB 74-67-F7-9A-12-DB default-ap8533 default un-adopted 6 ap7562-84A224 84-24-8D-84-A2-24 default-ap7562 TechPubs 00-15-70-81-74-2D

--------------------------------------------------------------------------------

rfs6000-6DB5D4>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 13 1.5.3 Enabling Remote Administration Using CLI to Create Profiles and Enable Remote Administration INTRODUCTION A terminal server may function in remote administration mode if either the terminal services role is not installed on the machine or the client used to invoke the session has enabled the admin controller. A terminal emulation program running on a computer connected to the serial port on the controller. The serial port is located on the front of the controller. A Telnet session through a Secure Shell (SSH) over a network. The Telnet session may or may not use SSH depending on how the controller is configured. It is recommended you use SSH for remote administration tasks. This section is organized into the following sub sections:

Configuring Telnet for Management Access Configuring SSH for Management Access 1.5.3.1 Configuring Telnet for Management Access Enabling Remote Administration To enable Telnet for management access, use the serial console to login to the device and perform the following:

1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#

2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#

3 Go to default-management-policy mode. rfs6000-6DB5D4(config)#management-policy ?

MANAGEMENT Name of the management policy to be configured (will be created if it does not exist) rfs6000-6DB5D4(config)#management-policy default rfs6000-6DB5D4(config-management-policy-default)#

4 Enter Telnet and the port number at the command prompt. Note, the port number is optional. If you do not specify the port, the system, by default, assigns port 23 for Telnet. Commit your changes. Telnet is enabled. rfs6000-6DB5D4(config-management-policy-default)#telnet rfs6000-6DB5D4(config-management-policy-default)#commit write rfs6000-6DB5D4(config-management-policy-default)#end rfs6000-6DB5D4#exit 5 Connect to the controller through Telnet using its configured IP address. If logging in for the first time, use the following credentials:

User Name Password admin admin123 At the first-time login instance, you will be prompted to change the password. Set a new password. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 14 INTRODUCTION 6 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details. rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access all rfs6000-6DB5D4(config-management-policy-default)#commit rfs6000-6DB5D4(config-management-policy-default)#show context management-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/

QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/

QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-only rfs6000-6DB5D4(config-management-policy-default)#

7 Logon to the Telnet console and provide the user details configured in the previous step to access the controller. rfs6000 release 5.9.1.0-015D rfs6000-6DB5D4 login: testuser Password:

Welcome to CLI Starting CLI... rfs6000-6DB5D4>

1.5.3.2 Configuring SSH for Management Access Enabling Remote Administration By default, SSH is enabled from the factory settings on the controller. The controller requires an IP address and login credentials. To enable SSH access on a device, login through the serial console and perform the following:

1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#

2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#

3 Go to default-management-policy mode. rfs6000-6DB5D4(config)#management-policy ?

MANAGEMENT Name of the management policy to be configured (will be created if it does not exist) rfs6000-6DB5D4(config)#management-policy default rfs6000-6DB5D4(config-management-policy-default)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 15 INTRODUCTION 4 Enter SSH at the command prompt. rfs6000-6DB5D4(config-management-policy-default)#ssh rfs6000-6DB5D4(config-management-policy-default)#commit write rfs6000-6DB5D4(config-management-policy-default)#end rfs6000-6DB5D4#exit 5 Connect to the controller through SSH using its configured IP address. If logging in for the first time, use the following credentials:

User Name Password admin admin123 At the first-time login instance, you will be prompted to change the password. Set a new password. 6 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details. rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access all rfs6000-6DB5D4(config-management-policy-default)#commit rfs6000-6DB5D4(config-management-policy-default)#show context management-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/

QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/

QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-only rfs6000-6DB5D4(config-management-policy-default)#

7 Logon to the SSH console and provide the user details configured in the previous step to access the controller. rfs6000 release 5.9.1.0-015D rfs6000-6DB5D4 login: testuser Password:

Welcome to CLI Starting CLI... rfs6000-6DB5D4>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 16 2 USER EXEC MODE COMMANDS Logging in to the wireless controller places you within the USER EXEC command mode. Typically, a login requires a user name and password. You have three login attempts before the connection attempt is refused. USER EXEC commands (available at the user level) are a subset of the commands available at the privileged level. In general, USER EXEC commands allow you to connect to remote devices, perform basic tests, and list system information. To list available USER EXEC commands, use ? at the command prompt. The USER EXEC prompt consists of the device host name followed by an angle bracket (>).

<DEVICE>>?

Command commands:

captive-portal-page-upload Captive portal internal and advanced page upload change-passwd Change password clear Clear clock Configure software system clock cluster Cluster commands commit Commit all changes made in this session connect Open a console connection to a remote device create-cluster Create a cluster crypto Encryption related commands crypto-cmp-cert-update Update the cmp certs database Database database-backup Backup database database-restore Restore database debug Debugging functions device-upgrade Device firmware upgrade disable Turn off privileged mode command enable Turn on privileged mode command file-sync File sync between controller and adoptees help Description of the interactive help system join-cluster Join the cluster l2tpv3 L2tpv3 protocol logging Modify message logging facilities mint MiNT protocol no Negate a command or set its defaults on On RF-Domain opendns OpenDNS configuration page Toggle paging ping Send ICMP echo messages ping6 Send ICMPv6 echo messages revert Revert changes service Service Commands show Show running system information ssh Open an ssh connection telnet Open a telnet connection terminal Set terminal line parameters time-it Check how long a particular command took between request and completion of response traceroute Trace route to destination traceroute6 Trace route to destination(IPv6) virtual-machine Virtual Machine watch Repeat the specific CLI command at a periodic interval write Write running configuration to memory or terminal clrscr Clears the display screen exit Exit from the CLI

<DEVICE>>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 1 USER EXEC MODE COMMANDS 2.1 User Exec Commands USER EXEC MODE COMMANDS The following table summarizes the User Exec Mode commands:

Table 2.1 User Exec Mode Commands Description Uploads captive portal advanced pages to adopted access points Command captive-portal-

page-upload change-passwd Changes the password of a logged user clear clock cluster connect create-cluster crypto crypto-cmp-

cert-update database Resets the last saved command Configures the system clock Accesses the cluster context Establishes a console connection to a remote device Creates a new cluster on a specified device Enables encryption and configures encryption related parameters Triggers a CMP certificate update on a specified device or devices database-

backup database-

restore Enables automatic repairing (vacuuming) and dropping of databases

(Captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database. device-upgrade Configures device firmware upgrade settings disable enable file-sync Turns off (disables) the privileged mode command set Turns on (enables) the privileged mode command set Configures parameters enabling syncing of PKCS#12 and wireless-

bridge certificate between the staging-controller and adopted access points Adds a device (access point, wireless controller, or service platform) to an existing cluster of devices Establishes or brings down Layer 2 Tunneling Protocol Version 3

(L2TPV3) tunnels Modifies message logging facilities Configures MiNT protocol Negates a command or sets its default Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show join-cluster l2tpv3 logging mint no on Reference page 2-4 page 2-8 page 2-9 page 2-20 page 2-21 page 2-22 page 2-23 page 2-24 page 2-33 page 2-34 page 2-38 page 2-40 page 2-41 page 2-49 page 2-50 page 2-51 page 2-54 page 2-56 page 2-58 page 2-60 page 2-62 page 2-64 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 2 USER EXEC MODE COMMANDS Table 2.1 User Exec Mode Commands Command opendns page ping ping6 ssh telnet terminal time-it traceroute traceroute6 virtual-machine watch Description Connects to the OpenDNS site using OpenDNS registered credentials

(username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process that integrates access points, controllers, and service platforms with OpenDNS. Toggles a devices (access point, wireless controller, or service platform) paging function Sends ICMP echo messages to a user-specified location Sends ICMPv6 echo messages to a user-specified IPv6 address Opens an SSH connection between two network devices Opens a Telnet session Sets the length and width of the terminal window Verifies the time taken by a particular command between request and response Traces the route to its defined destination Traces the route to a specified IPv6 destination Installs, configures, and monitors the status of virtual machines

(VMs) installed on a WiNG controller Repeats a specific CLI command at a periodic interval Reference page 2-65 page 2-67 page 2-68 page 2-70 page 2-71 page 2-72 page 2-73 page 2-74 page 2-75 page 2-76 page 2-77 page 2-83 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 3 USER EXEC MODE COMMANDS 2.1.1 captive-portal-page-upload User Exec Commands Uploads captive portal advanced pages to adopted access points. Use this command to provide access points with specific captive portal configurations, so that they can successfully provision login, welcome, and condition pages to clients attempting to access the wireless network using the captive portal. NOTE: Ensure that the captive portal pages uploaded are *.tar files. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|

load-file]

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]

{upload-time <TIME>}

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]

{from-controller} {(upload-time <TIME>)}

captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain

[<DOMAIN-NAME>|all]]

captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

Parameters captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]

{upload-time <TIME>}

captive-portal-page-

upload <CAPTIVE-

PORTAL-NAME>

Uploads advanced pages of the captive-portal identified by the <CAPTIVE-PORTAL-

NAME> parameter

<CAPTIVE-PORTAL-NAME> Specify the captive portals name (should be existing and configured).

<MAC/HOSTNAME>

all Uploads to a specified AP

<MAC/HOSTNAME> Specify APs MAC address or hostname. Uploads to all APs Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 4 USER EXEC MODE COMMANDS upload-time <TIME> Optional. Schedules an AP upload time

<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. To view a list of uploaded captive portal files, execute the show > captive-portal-

page-upload > list-files <CAPTIVE-PORTAL-NAME> command. captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|

all] {from-controller} {(upload-time <TIME>)}

captive-portal-page-

upload <CAPTIVE-

PORTAL-NAME>

Uploads advanced pages of the captive portal identified by the <CAPTIVE-PORTAL-

NAME> parameter

<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). rf-domain

[<DOMAIN-

NAME>|all]

from-controller Uploads to all APs within a specified RF Domain or all RF Domains

<DOMAIN-NAME> Uploads to APs within a specified RF Domain. Specify the RF Domain name. all Uploads to APs across all RF Domains Optional. Uploads captive-portal pages to APs via the controller to which the APs are adopted upload-time <TIME> Optional. Schedules an AP upload time

<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain

[<DOMAIN-NAME>|all]]

captive-portal-page-

upload cancel-upload cancel-upload

[<MAC/HOSTNAME>|

all|on rf-domain

[<DOMAIN-

NAME>|all]]

Cancels a scheduled AP upload Select one of the following options:

<MAC/HOSTNAME> Cancels scheduled upload to a specified AP. Specify the APs MAC address or hostname. all Cancels all scheduled AP uploads on rf- domain Cancels all scheduled uploads to APs within a specified RF Domain or all RF Domains

<DOMAIN-NAME> Cancels scheduled uploads to APs within a specified RF Do-

main. Specify RF Domain name. all Cancels scheduled uploads across all RF Domains captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

captive-portal-page-

upload delete-file

<CAPTIVE-PORTAL-

NAME> <FILE-

NAME>

Deletes a specified captive portals uploaded captive-portal Web page files Identifies the captive-portal and Web pages to delete

<CAPTIVE-PORTAL-NAME> Specify the captive portal name.

<FILE-NAME> Specify the file name. The specified internal captive portal page is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 5 USER EXEC MODE COMMANDS captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

captive-portal-page-

upload load-file

<CAPTIVE-PORTAL-

NAME> <URL>

Loads captive-portal advanced pages Specify the captive portal name and location. The captive portal should be existing and configured.

<URL> Specifies location of the captive-portal Web pages. Use one of the following formats to specify the location:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Note: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload > <CAPTIVE-

PORTAL-NAME> > <DEVICE-OR-DOMAIN-NAME> command to upload these pages to APs. Example ap6562-B1A214>captive-portal-page-upload load-file captive_portal_test tftp://

89.89.89.17/pages_new_only.tar ap6562-B1A214>

ap6562-B1A214>show captive-portal-page-upload load-image-status Download of captive_portal_test advanced page file is complete ap6562-B1A214>

ap6562-B1A214>captive-portal-page-upload captive_portal_test all

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

FC-0A-81-B1-A2-14 Success Added 6 APs to upload queue

--------------------------------------------------------------------------------

ap6562-B1A214>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 6 USER EXEC MODE COMMANDS ap6562-B1A214>show captive-portal-page-upload status Number of APs currently being uploaded : 1 Number of APs waiting in queue to be uploaded : 0

--------------------------------------------------------------------------------

-------

AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY

--------------------------------------------------------------------------------

-------

ap6562-B1A738 downloading immediate 100 0 - None

--------------------------------------------------------------------------------

-------

ap6562-B1A214>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 7 USER EXEC MODE COMMANDS 2.1.2 change-passwd User Exec Commands Changes the password of the logged user. When this command is executed without any parameters, the password can be changed interactively. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

Parameters

<OLD-PASSWORD>

<NEW-PASSWORD>

change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>

Optional. Specify the existing password. Specify the new password. Note: The password can also be changed interactively. To do so, press [Enter] after the command. Usage Guidelines A password must be from 1 - 64 characters in length. Example rfs6000-81742D>change-passwd Enter old password:

Enter new password:

Password for user 'admin' changed successfully Please write this password change to memory(write memory) to be persistent. rfs6000-81742D#write memory OK rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 8 USER EXEC MODE COMMANDS 2.1.3 clear User Exec Commands Clears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared, using this command, depends on the mode where the clear command is executed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: When using the clear command, refer to the interface details provided in interface. Syntax clear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|gre|ip|

ipv6|lacp|lldp|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|

vrrp]

clear arp-cache {on <DEVICE-NAME>}

clear bonjour cache {on <DEVICE-NAME>}

clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

clear counters [ap|radio|wireless-client]

clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client

{<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}

clear crypto [ike|ipsec] sa clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

clear crypto ipsec sa {on <DEVICE-NAME>}

clear eguest registration statistics clear event-history clear gre stats {on <DEVICE-NAME>}

clear ip [bgp|dhcp|ospf]

clear ip bgp [<IP>|all|external|process]

clear ip bgp [<IP>|all|external] {in|on|out|soft}

clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

clear ip bgp process {on <DEVICE-NAME>}

clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

clear ip ospf process {on <DEVICE-NAME>}

clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear lacp [<1-4> counters|counters]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 9 USER EXEC MODE COMMANDS clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-

NAME>}

clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

clear mac-address-table {interface [<IN-NAME>|ge <1-2>|port-channel <1-2>|

vmif <1-8>]} {on <DEVICE-NAME>}

clear mac-address-table mac-auth-state address <MAC> vlan <1-4094> {on <DEVICE-

NAME>}

clear mint mlcp history {on <DEVICE-NAME>}

clear role ldap-stats {on <DEVICE-NAME>}

clear rtls [aeroscout|ekahau]

clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|

on <DEVICE-OR-DOMAIN-NAME>}

clear spanning-tree detected-protocols {interface|on}

clear spanning-tree detected-protocols {on <DEVICE-NAME>}

clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|

port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}

clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}

clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

Parameters clear arp-cache {on <DEVICE-NAME>}

arp-cache on <DEVICE-NAME>

Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses. Optional. Clears ARP cache entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear bonjour cache {on <DEVICE-NAME>}

bonjour cache on <DEVICE-NAME>

Clears all Bonjour cached statistics. Once cleared the system has to re-discover available Bonjour services. Optional. Clears all Bonjour cached statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

cdp lldp neighbors on <DEVICE-NAME>

Clears Cisco Discovery Protocol (CDP) table entries Clears Link Layer Discovery Protocol (LLDP) table entries Clears CDP or LLDP neighbor table entries based on the option selected in the preceding step Optional. Clears CDP or LLDP neighbor table entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 10 USER EXEC MODE COMMANDS clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client

{<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}

counters ap <MAC>

radio <MAC/DEVICE-

NAME> <1-X>

Clears counters based on the parameters passed. The options are: AP, radio, and wireless clients. Clears counters for all APs or a specified AP

<MAC> Optional. Specify the APs MAC address. Note: If no MAC address is specified, all AP counters are cleared. Clears radio interface counters on a specified device or on all devices

<MAC/DEVICE-NAME> Optional. Specify the devices hostname or MAC address. Optionally, append the radio interface number (to the radio ID) using one of the following formats: AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX (where RX is the interface number).

<1-X> Optional. Identifies the radio interface by its index. Specify the radio inter-

face index, if not specified as part of the radio ID. Note, the number of radio interfaces available varies with the access point type. If no device name or MAC address is specified, all radio interface counters are cleared. wireless-client <MAC> Clears counters for all wireless clients or a specified wireless client on <DEVICE-OR-

DOMAIN-NAME>

<MAC> Optional. Specify the wireless clients MAC address. If no MAC address is specified, all wireless client counters are cleared. The following option is common to all of the above keywords:

on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP, radio, or wireless client counters on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

crypto ike sa [<IP>|all]

on <DEVICE-NAME>

Clears encryption modules cached statistics Clears Internet Key Exchange (IKE) security associations (SAs)

<IP> Clears IKE SA entries for the peer identified by the <IP> keyword all Clears IKE SA entries for all peers Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear crypto ipsec sa {on <DEVICE-NAME>}

crypto ipsec sa on <DEVICE-NAME>

Clears encryption modules cached statistics Clears Internet Protocol Security (IPSec) database SAs on <DEVICE-NAME> Optional. Clears IPSec SA entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 11 USER EXEC MODE COMMANDS clear eguest registration statistics eguest registration statistics Clears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null. This command is applicable only on the NX9500, NX9600, and VX9000 model service platforms. gre stats on <DEVICE-NAME>

clear gre stats {on <DEVICE-NAME>}

Clears GRE tunnel statistics Optional. Clears GRE tunnel statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear event-history event-history Clears event history cache entries clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

ip bgp

[<IP>|all|external]

Clears on-going BGP sessions based on the option selected

<IP> Clears BGP session with the peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears all BGP peer sessions external Clears external BGP (eBGP) peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears inbound route updates prefix-filter Optional. Clears the existing Outbound Route Filtering (ORF) prefix-list Optional. Clears route updates on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. in prefix-filter on <DEVICE-NAME>

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

Clears on-going BGP sessions based on the option selected

<IP> Clears BGP session with the peer identified by the <IP> keyword. Specify the ip bgp

[<IP>|all|external]

BGP peers IP address. all Clears all BGP peer sessions external Clears eBGP peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 12 USER EXEC MODE COMMANDS Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears outbound route updates. Optionally specify the device on which to execute this command. The following keyword is recursive and optional. on <DEVICE-NAME> Optional. Clears BGP sessions on a specified device out on <DEVICE-NAME>

<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

ip bgp

[<IP>|all|external]

Clears on-going BGP sessions based on the option selected

<IP> Clears the BGP peer session with the peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears all BGP peer sessions external Clears eBGP peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Optional. Initiates soft-reconfiguration of route updates for the specified IP address in Optional. Enables soft reconfiguration of inbound route updates out Optional. Enables soft reconfiguration of outbound route updates Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Initiates soft reconfiguration inbound/outbound route updates on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. soft {in|out}

on <DEVICE-NAME>

clear ip bgp process {on <DEVICE-NAME>}

ip bgp process on <DEVICE-NAME>

Clears all BGP processes running This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Optional. Clears all BGP processes on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

ip dhcp bindings

<IP>

Clears a Dynamic Host Configuration Protocol (DHCP) servers IP address binding entries Clears DHCP connections and server bindings Clears specific address binding entries. Specify the IP address to clear binding entries. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 13 USER EXEC MODE COMMANDS all on <DEVICE-NAME>

Clears all address binding entries Optional. Clears a specified address binding or all address bindings on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ip ospf process {on <DEVICE-NAME>}

ip ospf process on <DEVICE-NAME>

Clears already enabled Open Shortest Path First (OSPF) process and restarts the process Optional. Clears OSPF process on a specified device OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighboring routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer, which makes routing decisions based solely on the destination IP address found in IP packets.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear ipv6 neighbor-cache on <DEVICE-NAME>

Clears IPv6 neighbor cache entries Optional. Clears IPv6 neighbor cache entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear lacp [<1-4> counters|counters]

clear lacp

[<1-4> counters|

counters]

Clears Link Aggregation Control Protocol (LACP) counters for a specified port-

channel group or all port-channel groups configured

<1-4> counters Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels. counters Clears LACP counters for all configured port-channels on the device mac-address-table clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

Clears MAC address forwarding table data based on the parameters passed Use this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address. Optional. Clears a specified MAC address from the MAC address table.

<MAC> Specify the MAC address in one of the following formats: AA-BB-CC-DD-

address <MAC>

EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFF If executed without specifying any MAC address(es), all MAC addresses from the MAC address table will be removed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 14 USER EXEC MODE COMMANDS vlan <1-4094>

on <DEVICE-NAME>

Optional. Clears all MAC addresses for a specified VLAN

<1-4094> Specify the VLAN ID from 1 - 4094. Optional. Clears a single MAC entry or all MAC entries, for the specified VLAN on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table {interface [<IF-NAME>|ge <1-X>|port-channel <1-X>]} {on

<DEVICE-NAME>}

mac-address-table interface

<IF-NAME>

ge <1-X>

port-channel <1-X>

on <DEVICE-NAME>

Clears MAC address forwarding table data based on the parameters passed Use this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address. Clears all MAC addresses for the selected interface. Use the options available to specify the interface. Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)

<IF-NAME> Specify the layer 2 interface name. Clears MAC address forwarding table for the specified GigabitEthernet interface

<1-X> Specify the GigabitEthernet interface index from 1 - X. The number of GE interfaces supported varies for different device types. Clears MAC address forwarding table for the specified port-channel interface

<1-X> Specify the port-channel interface index from 1 - X. The number of port-channel interfaces supported varies for different device types. Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-

NAME>}

mac-address-table mac-auth-state address

<MAC> vlan <1-4904>

Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabled Access points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-

authenticate, and is provided access only on successful authentication.

<MAC> Specify the MAC address to clear. vlan <1-4904> Specify the VLAN interface from 1 - 4094. In the AP/controllers MAC address table, the specified MAC address is cleared on the specified VLAN in-

terface. on <DEVICE-NAME>

Optional. Clears the specified MAC address on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If a device is not specified, the system clears the MAC address on all devices. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 15 USER EXEC MODE COMMANDS clear mint mlcp history {on <DEVICE-NAME>}

mint mlcp history on <DEVICE-NAME>

Clears MiNT related information Clears MiNT Link Creation Protocol (MLCP) client history Optional. Clears MLCP client history on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear role ldap-stats {on <DEVICE-NAME>}

role ldap-stats on <DEVICE-NAME>

Clears Lightweight Directory Access Protocol (LDAP) server statistics Optional. Clears LDAP server statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|

on <DEVICE-OR-DOMAIN-NAME>}

rtls aeroscout ekahau

<MAC/DEVICE-NAME>

on <DEVICE-OR-

DOMAIN-NAME>

Clears Real Time Location Service (RTLS) statistics Clears RTLS Aeroscout statistics Clears RTLS Ekahau statistics This keyword is common to the aeroscout and ekahau parameters.

<MAC/DEVICE-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the APs MAC address or hostname. This keyword is common to the aeroscout, ekahau, and <MAC/DEVICE-NAME>

parameters. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. clear spanning-tree detected-protocols {on <DEVICE-NAME>}

spanning-tree detected-protocols on <DEVICE-NAME>

Clears spanning tree entries on an interface, and restarts protocol migration Restarts protocol migration Optional. Clears spanning tree entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|

me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}

Clears spanning tree entries on an interface and restarts protocol migration Restarts protocol migration spanning-tree detected-protocols Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 16 USER EXEC MODE COMMANDS interface

[<INTERFACE-NAME>|

ge <1-X>|me1|

port-channel <1-X>|

pppoe1|up1|

vlan <1-4094>|

wwan1]

on <DEVICE-NAME>

Optional. Clears spanning tree entries on different interfaces

<INTERFACE-NAME> Clears detected spanning tree entries on a specified interface. Specify the interface name. ge <1-X> Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X. me1 Clears FastEthernet interface spanning tree entries port-channel <1-X> Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X. The number of port-channel interfaces supported varies for different device types. pppoe1 Clears detected spanning tree entries for Point-to-Point Protocol over Ethernet (PPPoE) interface up1 Clears detected spanning tree entries for the WAN Ethernet interface vlan <1-4094> Clears detected spanning tree entries for the selected VLAN interface. Select a Switch Virtual Interface (SVI) VLAN ID from 1- 4094. wwan1 Clears detected spanning tree entries for wireless WAN interface. Optional. Clears spanning tree entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}

traffic-shape statistics class <1-4>

on <DEVICE-NAME>

Clears traffic shaping statistics Clears traffic shaping statistics for a specific traffic class

<1-4> Specify the traffic class from 1 - 4. Note: If the traffic class is not specified, the system clears all traffic shaping statistics. Optional. Clears traffic shaping statistics for the specified traffic class on a specified device

<DEVICE-NAME> Specify the name of the access point, wireless controller, or service platform. Note: For more information on configuring traffic-shape, see traffic-shape. clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

vrrp error-stats stats on <DEVICE-NAME>

Clears a devices Virtual Router Redundancy Protocol (VRRP) statistics VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address. Clears global error statistics Clears VRRP related statistics The following keywords are common to the error-stats and stats parameters:

on <DEVICE-NAME> Optional. Clears VRRP statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 17 Example USER EXEC MODE COMMANDS rfs4000-229D58>clear event-history rfs4000-229D58>clear spanning-tree detected-protocols interface port-channel 1 rfs4000-229D58>clear spanning-tree detected-protocols interface ge 1 rfs4000-229D58>show lldp neighbors

-------------------------

Chassis ID: 00-23-68-88-0D-A7 System Name: rfs4000-880DA7 Platform: RFS-4011-11110-US, Version 5.8.6.0-008B Capabilities: Bridge WLAN Access Point Router Enabled Capabilities: Bridge WLAN Access Point Router Local Interface: ge5, Port ID (outgoing port): ge5 TTL: 176 sec Management Addresses: 192.168.13.8,192.168.0.1,1.2.3.4 rfs4000-229D58>

rfs4000-229D58>clear lldp neighbors rfs4000-229D58>show lldp neighbors rfs4000-229D58>show cdp neighbors

--------------------------------------------------------------------------------

Device ID Platform Local Intrfce Port ID Duplex

--------------------------------------------------------------------------------

rfs4000-880DA7 RFS-4011-11110-US ge1 ge1 full rfs6000-434CAA RFS6000 ge1 ge1 full ap7131-139B34 AP7131N ge1 ge1 full

--------------------------------------------------------------------------------

rfs4000-229D58>

rfs4000-229D58>clear cdp neighbors rfs4000-229D58>show cdp neighbors

--------------------------------------------------------------------------------

Device ID Platform Local Intrfce Port ID Duplex

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

rfs4000-229D58>

rfs4000-229D58>clear role ldap-stats rfs4000-229D58>show role ldap-stats No ROLE LDAP statistics found. rfs4000-229D58>

rfs4000-229D58>show mac-address-table

--------------------------------------------------------

BRIDGE VLAN PORT MAC STATE

--------------------------------------------------------

1 1 ge5 00-02-B3-28-D1-55 forward 1 1 ge5 00-0F-8F-19-BA-4C forward 1 1 ge5 B4-C7-99-5C-FA-8E forward 1 1 ge5 00-23-68-0F-43-D8 forward 1 1 ge5 00-15-70-38-06-49 forward 1 1 ge5 00-23-68-13-9B-34 forward 1 1 ge5 B4-C7-99-58-72-58 forward 1 1 ge5 00-15-70-81-74-2D forward

--------------------------------------------------------

Total number of MACs displayed: 8 rfs4000-229D58>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 18 USER EXEC MODE COMMANDS rfs4000-229D58>clear mac-address-table address 00-02-B3-28-D1-55 rfs4000-229D58>show mac-address-table

--------------------------------------------------------

BRIDGE VLAN PORT MAC STATE

--------------------------------------------------------

1 1 ge5 00-0F-8F-19-BA-4C forward 1 1 ge5 B4-C7-99-5C-FA-8E forward 1 1 ge5 00-23-68-0F-43-D8 forward 1 1 ge5 00-15-70-38-06-49 forward 1 1 ge5 00-23-68-13-9B-34 forward 1 1 ge5 B4-C7-99-58-72-58 forward 1 1 ge5 00-15-70-81-74-2D forward

--------------------------------------------------------

Total number of MACs displayed: 7 rfs4000-229D58>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 19 USER EXEC MODE COMMANDS 2.1.4 clock User Exec Commands Sets a devices system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a devices clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) Greenwich Time. To display time in the local time zone format, in the devices configuration mode, use the timezone command. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

Parameters clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

clock set

<HH:MM:SS>

<1-31>

<MONTH>

<1993-2035>

on

<DEVICE-NAME>

Example Sets a devices software system clock Sets the current time (in military format hours, minutes, and seconds) Note: By default, the WiNG software displays time in the 24-hour clock format. This setting cannot be changed. Sets the numerical day of the month Sets the month of the year (Jan to Dec) Sets a valid four digit year from 1993 - 2035 Optional. Sets the clock on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. The following commands set the time zone and clock for the logged device:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angeles nx9500-6C8809>clock set 11:24:30 21 Jan 2017 nx9500-6C8809>show clock 2017-01-21 12:14:14 PDT nx9500-6C8809>

Note, if the clock is set without resetting the time zone, the time displays as UTC time, as shown in the following example:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#no timezone nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#commit nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show clock 2017-01-21 19:15:55 UTC nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 20 USER EXEC MODE COMMANDS 2.1.5 cluster User Exec Commands Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Commands executed under this context are executed on all members of the cluster. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster start-election Parameters cluster start-election start-election Starts a new cluster master election Example nx9500-6C8809>cluster start-election nx9500-6C8809>

Related Commands create-cluster join-cluster Creates a new cluster on the specified device Adds a wireless controller or service platform, as a member, to an existing cluster of controllers Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 21 USER EXEC MODE COMMANDS 2.1.6 connect User Exec Commands Begins a console connection to a remote device using the remote devices MiNT ID or name Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Parameters mint-id <MINT-ID>

connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Connects to the remote system using its MiNT ID

<MINT-ID> Specify the remote devices MiNT ID. Connects to the remote system using its name

<REMOTE-DEVICE-NAME> Specify the remote devices name.

<REMOTE-DEVICE-

NAME>

Example rfs6000-81742D>show mint lsp-db 9 LSPs in LSP-db of 19.6D.B5.D4:

LSP 19.6C.88.09 at level 1, hostname nx9500-6C8809", 8 adjacencies, seqnum 1294555 LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915724 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468229 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649244 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202821 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380340 LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494523 LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831532 rfs6000-81742D>

rfs6000-81742D>connect mint-id 19.6C.88.09 Entering character mode Escape character is '^]'. NX9500 release 5.9.1.0-012D nx9500-6C8809 login:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 22 USER EXEC MODE COMMANDS 2.1.7 create-cluster User Exec Commands Creates a new device cluster with the specified name and assigns it an IP address and routing level A cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure. A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

Parameters create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

create-cluster name

<CLUSTER-NAME>

Creates a cluster Configures the cluster name

<CLUSTER-NAME> Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. ip <IP>

level [1|2]

Specifies the devices IP address used for cluster creation

<IP> Specify the devices IP address in the A.B.C.D format. Optional. Configures the clusters routing level 1 Configures level 1 (local) routing 2 Configures level 2 (inter-site) routing Example rfs6000-81742D>create-cluster name TechPubs ip 192.168.13.23 level 1

... creating cluster

... committing the changes

... saving the changes Please Wait .

[OK]

rfs6000-81742D>

rfs6000-81742D>show context session-config include-factory | include cluster name TechPubs cluster name TechPubs rfs6000-81742D>

Related Commands cluster join-cluster Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Adds a device, as a member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 23 USER EXEC MODE COMMANDS 2.1.8 crypto User Exec Commands Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR). This command also enables trustpoint configuration. Trustpoints contain the CAs identity and configuration parameters. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [key|pki]

crypto key [export|generate|import|zeroize]

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL>

{background|on|passphrase}

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>

{background|on|passphrase}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

crypto pki [authenticate|export|generate|import|zeroize]

crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background}

{(on <DEVICE-NAME>)}

crypto pki export [request|trustpoint]

crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME>

[autogen-subject-name|subject-name]

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>

autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>, ip-address <IP>) crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|

use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>

<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 24 USER EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-

address <IP>,on <DEVICE-NAME>)}

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>

<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address

<IP>,on <DEVICE-NAME>)}

crypto pki import [certificate|crl|trustpoint]

crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background} {(on <DEVICE-NAME>}) crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

Parameters crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

key export rsa

<RSA-KEYPAIR-

NAME>

<EXPORT-TO-URL>

background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Exports an existing RSA Keypair to a specified destination

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported. After specifying the destination address (where the RSA Keypair is exported), configure one of the following parameters: background or passphrase. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts RSA Keypair before exporting

<KEY-PASSPHRASE> Specify a passphrase to encrypt the RSA Keypair. background Optional. Performs export operation in the background. After spec-

ifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to all of the above parameters:

on <DEVICE-NAME> Optional. Performs export operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 25 USER EXEC MODE COMMANDS generate rsa

<RSA-KEYPAIR-

NAME> [2048|4096]

Generates a new RSA Keypair

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name.

[2048|4096] Sets the size of the RSA key in bits. The options are 2048 bits and 4096 bits. The default size is 2048 bits. on <DEVICE-NAME>

After specifying the key size, optionally specify the device (access point or controller) to generate the key on. Optional. Generates the new RSA Keypair on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Imports a RSA Keypair from a specified source

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. import rsa

<RSA-KEYPAIR-

NAME>

<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

supported. After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts the RSA Keypair after importing

<KEY-PASSPHRASE> Specify the passphrase to decrypt the RSA Keypair. background Optional. Performs import operation in the background. After spec-

ifying the passphrase, optionally specify the device (access point, controller, or ser-

vice platform) to perform the import on. The following parameter is recursive and common to the background and passphrase keywords:

on <DEVICE-NAME> Optional. Performs import operation on a specific device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

key zeroize rsa

<RSA-KEYPAIR-

NAME>

force Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Deletes a specified RSA Keypair

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Note: All device certificates associated with this key will also be deleted. Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 26 USER EXEC MODE COMMANDS on <DEVICE-NAME>

The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Deletes all certificates associated with the RSA Keypair on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-

NAME>)}

pki authenticate

<TRUSTPOINT-NAME>

<URL>

background on <DEVICE-NAME>

Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates. Authenticates a trustpoint and imports the corresponding CA certificate

<TRUSTPOINT-NAME> Specify the trustpoint name. Specify CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CA certificate is imported from the specified location. Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point, controller, or service platform) to perform the export on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs authentication on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>

autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-

address <IP>) pki export request

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates subject name from configuration parameters. The subject name

<EXPORT-TO-URL>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

identifies the certificate. Specify the CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CSR is exported to the specified location. Exports CSR to a specified e-mail address

<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified Fully Qualified Domain Name (FQDN)

<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system

<IP> Specify the CAs IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 27 USER EXEC MODE COMMANDS crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-

key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>

<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) pki export request

[generate-rsa-key|

short [generate-rsa-

key|use-rsa-key]|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

subject-name

<COMMON-NAME>

<COUNTRY>

<STATE>

<CITY>

<ORGANIZATION>

<ORGANIZATION-

UNIT>

<EXPORT-TO-URL>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for a digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication short [generate-rsa-key|use-rsa-key] Generates and exports a shorter version of the CSR generate-rsa-key Generates a new RSA Keypair for digital authentication. If gen-

erating a new RSA Keypair, specify a name for it. use-rsa-key Uses an existing RSA Keypair for digital authentication. If using an existing RSA Keypair, specify its name. use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate

<COMMON-NAME> Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length). Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Specify the CAs location. Both IPv4 and IPv6 address formats are supported. The CSR is exported to the specified location. Exports CSR to a specified e-mail address

<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified FQDN

<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system

<IP> Specify the CAs IP address. crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 28 USER EXEC MODE COMMANDS export trustpoint

<TRUSTPOINT-NAME>

<EXPORT-TO-URL>

background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Specify the destination address. Both IPv4 and IPv6 address formats are supported. The trustpoint is exported to the address specified here. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on Optional. Encrypts the key with a passphrase before exporting

<KEY-PASSPHRASE> Specify the passphrase to encrypt the trustpoint. background Optional. Performs export operation in the background. After spec-

ifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to the background and passphrase keywords:

on <DEVICE-NAME> Optional. Performs export operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>, ip-address <IP>,on <DEVICE-NAME>)}

pki generate self-signed

<TRUSTPOINT-NAME>

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a certificate and a trustpoint Generates a self-signed certificate and a trustpoint

<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates the subject name from the configuration parameters. The subject email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

on <DEVICE-NAME>

name helps to identify the certificate. Optional. Exports the self-signed certificate to a specified e-mail address

<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN

<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system

<IP> Specify the devices IP address. Optional. Exports the self-signed certificate on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 29 USER EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>

<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address

<IP>,on <DEVICE-NAME>)}

pki generate self-signed

<TRUSTPOINT-NAME>

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

subject-name

<COMMON-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a self-signed certificate and a trustpoint

<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate

<COMMON-NAME> Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.

<COUNTRY>

<STATE>

<CITY>

<ORGANIZATION>

<ORGANIZATION-

UNIT>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Optional. Exports the self-signed certificate to a specified e-mail address

<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN

<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system

<IP> Specify the devices IP address. crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background} {(on <DEVICE-NAME>)}

pki import

[certificate|crl]

<TRUSTPOINT-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device Imports a signed server certificate or CRL certificate Imports signed server certificate crl Imports CRL

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).

<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported. The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 30 USER EXEC MODE COMMANDS background on <DEVICE-NAME>

Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs import operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki import trustpoint

<TRUSTPOINT-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, CRL, or a trustpoint to the selected device Imports a trustpoint and its associated CA certificate, server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).

<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

supported. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts trustpoint with a passphrase after importing

<KEY-PASSPHRASE> Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on. background Optional. Performs import operation in the background. After spec-

ifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs import operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

pki zeroize trustpoint

<TRUSTPOINT-NAME>

del-key on <DEVICE-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Deletes a trustpoint and its associated CA certificate, server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Deletes the trustpoint on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 31 Usage Guidelines USER EXEC MODE COMMANDS The system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Example rfs6000-81742D>crypto key generate rsa key 1025 RSA Keypair successfully generated rfs6000-81742D>

rfs6000-81742D>crypto key import rsa test123 url passphrase word background RSA key import operation is started in background rfs6000-81742D>

rfs6000-81742DE>crypto pki generate self-signed word generate-rsa-key word autogen-subject-name fqdn word Successfully generated self-signed certificate rfs6000-81742D>

rfs6000-81742D>crypto pki zeroize trustpoint word del-key Successfully removed the trustpoint and associated certificates

%Warning: Applications associated with the trustpoint will start using default-

trustpoint rfs6000-81742D>

rfs6000-81742D>crypto pki authenticate word url background Import of CA certificate started in background rfs6000-81742D>

rfs6000-81742D>crypto pki import trustpoint word url passphrase word Import operation started in background rfs6000-81742D>

Related Commands no Removes server certificates, trustpoints and their associated certificates Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 32 USER EXEC MODE COMMANDS 2.1.9 crypto-cmp-cert-update User Exec Commands Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

Parameters crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

crypto-cmp-cert-

update

<TRUSTPOINT-

NAME> on

<DEVICE-NAME>

Triggers a CMP certificate update on a specified device or devices

<TRUSTPOINT-NAME> Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-

cmp-policy context mode to configure the trustpoint. on <DEVICE-NAME> Optional. Initiates a CMP certificate update and response on a specified device or devices. Specify the name of the AP, wireless controller, or service platform. Multiple devices can be provided as a comma separated list.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example rfs4000-229D58>crypto-cmp-cert-update test on B4-C7-99-71-17-28 CMP Cert update success rfs4000-229D58>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 33 USER EXEC MODE COMMANDS 2.1.10 database User Exec Commands Enables automatic repairing (vacuuming) and dropping of captive-portal and NSight databases If enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Access to the database is allowed only if the user credentials entered during database login are valid. For more information on enabling database authentication, see Enabling Database Authentication. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [drop|keyfile|repair]

database drop [all|captive-portal|nsight]

database repair {on <DEVICE-NAME>}

database keyfile [export|generate|import|zerzoise]

database keyfile generate database keyfile [export|import] <URL>

database keyfile zerzoise Parameters database drop [all|captive-portal|nsight]

database drop

[all|captive-portal|

nsight]

Drops (deletes) all or a specified database. Execute the command on the database. all Drops all databases, captive portal and NSight captive-portal Drops the captive-portal database nsight Drops the NSight database database repair {on <DEVICE-NAME>}

database repair on <DEVICE-NAME>

Enables automatic repairing of all databases. Repairing (vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements. Execute the command on the database host. on <DEVICE-NAME> Optional. Specifies the name of the database host. When specified, databases on the specified host are periodically checked to identify and remove obsolete data documents.

<DEVICE-NAME> Specify the name of the access point, wireless controller, or ser-

vice platform. Note: If no device is specified, the system repairs all databases. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 34 USER EXEC MODE COMMANDS database keyfile generate database keyfile

[generate|zerzoise]

Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to generate database keyfiles. After generating the keyfile, create the username and password combination required to access the database. For information on creating database users see, service. For information on enabling database authentication, see Enabling Database Authentication. generate Generates the keyfile. In case of a replica-set deployment, execute the command on the primary database host. Once generated, export the keyfile to a specified location from where it is imported on to the replica-set hosts. database keyfile [export|import] <URL>

database keyfile

[export|import]

<URL>

Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members. export Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the database host on which the keyfile has been generated. import Imports the keyfile from a specified location. Execute the command on the replica set members. The following parameter is common to both of the above keywords:

<URL> Specify the location to/from where the keyfile is to be exported/imported. Use one of the following options to specify the keyfile location:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file tftp://<hostname|IP>[:port]/path/file database keyfile zerzoise database keyfile zerzoise Enables database keyfile management. Use this command to delete keyfiles zerzoise Deletes an existing keyfile. Example nx9500-6C8809>database repair on nx9500-6C8809 nx9500-6C8809>

nx9500-6C8809>database keyfile generate Database keyfile successfully generated nx9500-6C8809>

nx9500-6C8809>database keyfile zeroize Database keyfile successfully removed nx9500-6C8809>

vx9000-1A1809>database keyfile generate Database keyfile successfully generated vx9000-1A1809>

vx9000-1A1809>database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported vx9000-1A1809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 35 USER EXEC MODE COMMANDS vx9000-D031F2>database keyfile import ftp://1.1.1.111/db-key Database keyfile successfully imported vx9000-D031F2>

Example Enabling Database Authentication Follow the steps below to enable database authentication. 1 On the primary database host, a Generate the database keyfile. Primary-DB-HOST>database keyfile generate Database keyfile successfully generated Primary-DB-HOST>

b Use the show > database > keyfile command to view the generated keyfile. c Export the keyfile to an external location. This is required only in case of database replica-set deployment. Primary-DB-HOST>database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported Primary-DB-HOST>

d Create the users that are allowed access to the database. Primary-DB-HOST#service database authentication create-user username techpubs password techPubs@123 Database user [techpubs] created. Primary-DB-HOST#

e View the database user account created. Primary-DB-HOST#show database users

--------------------------------

DATABASE USER

--------------------------------

techpubs

--------------------------------

Primary-DB-HOST#

2 On the replica set host, import the keyfile from the location specified in Step 1 c. Secondary-DB-HOST#database keyfile import ftp://1.1.1.111/db-key 3 In the database-policy context, --- (used on the NSight/EGuest database hosts) a Enable authentication. Primary-DB-HOST(config-database-policy-techpubs)#authentication b Configure the user accounts created in Step 1 d. Primary-DB-HOST(config-database-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr Primary-DB-HOST(config-database-policy-techpubs)#show context database-policy techpubs authentication authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr replica-set member nx7500-A02B91 arbiter replica-set member vx9000-1A1809 priority 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 36 USER EXEC MODE COMMANDS replica-set member vx9000-D031F2 priority 20 Primary-DB-HOST(config-database-policy-techpubs)#

4 In the database-client policy context --- (used on the NSight/EGuest server host), Note, this configuration is required only if the NSight/EGuest server and database are hosted on separate hosts. a Configure the user credentials created in Step 1 d. NOC-Controller(config-database-client-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr b View the configuration. NOC-Controller(config-database-client-policy-techpubs)#show context database-client-policy techpubs authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr NOC-Controller(config-database-client-policy-techpubs)#

Related Commands database-backup database-restore database-policy database-client-

policy service Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]

Documents database-policy configuration commands. Use this option to enable the database. Documents database-client-policy configuration commands. Use this option to configure the database host details (IP address or hostname). If enforcing database authentication, use it to configure the users having database access. Once configured, use the policy in the NSight/EGuest servers device config context. Documents the database user account configuration details Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 37 USER EXEC MODE COMMANDS 2.1.11 database-backup User Exec Commands Backs up captive-portal and/or NSight database to a specified location and file on an FTP, SFTP, or TFTP server. Execute this command on the database host. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-backup database [captive-portal|nsight|nsight-placement-info] <URL>

database-backup database [captive-portal|nsight] <URL>

database-backup database nsight-placement-info <URL>

Parameters database-backup database [captive-portal|nsight] <URL>

database-backup database

[captive-portal|

nsight]

<URL>

Backs up captive portal and/or NSight database to a specified location. Select the database to backup:

captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz database-backup database nsight-placement-info <URL>

database-backup database nsight-placement-

info <URL>

Backs up the NSight access point placement related details to a specified location

<URL> Specify the URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz Example NS-DB-nx9510-6C87EF>database-backup database nsight tftp://192.168.9.50/testbckup NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : In_Progress(Starting tftp transfer.) Last Database Backup Time : 2017-04-17 12:48:05 NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:08 IST 2017 NS-DB-nx9510-6C87EF>Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-

OPERATION_COMPLETE: backup for database nsight successful NS-DB-nx9510-6C87EF#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 38 USER EXEC MODE COMMANDS NS-DB-nx9510-6C87EF>database-backup database nsight-placement-info tftp://192.16 8.9.50/plmentinfo NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:48 IST 2017 NS-DB-nx9510-6C87EF>Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-

OPERATION_COMPLETE: backup for database nsight-placement-info successful NS-DB-nx9510-6C87EF>

Related Commands database database-restore Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and/or NSight) Restores a previously exported (backed up) database (captive-portal and/or NSight)]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 39 USER EXEC MODE COMMANDS 2.1.12 database-restore User Exec Commands Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases

(backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-restore database [captive-portal|nsight] <URL>

Parameters database-restore database [captive-portal|nsight] <URL>

database-restore database

[captive-portal|

nsight]

<URL>

Example Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:

captive-portal Restores captive portal database nsight Restores NSight database After specifying the database type, configure the destination location and file name from where the files are restored. Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz nx9500-6C8809>database-restore database nsight ftp://

anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands database database-backup Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 40 USER EXEC MODE COMMANDS 2.1.13 device-upgrade User Exec Commands Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms). In an hierarchically managed (HM) network, this command enables centralized device upgradation across the network. The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller. The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. NOTE: Hierarchical management allows the NOC controller to upgrade controllers and access points that are directly or indirectly adopted to it. However, ensure that the NOC controller is loaded with the correct firmware version. Use the device-upgrade command to schedule firmware upgrades across adopted devices within the network. Devices are upgraded based on their device names, MAC addresses, or RF Domain. NOTE: If the persist-images option is selected, the RF Domain manager retains the old firmware image, or else deletes it. For more information on enabling device upgrade on profiles and devices (including the persist-

images option), see device-upgrade. NOTE: A NOC controllers capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:

NOC controller NX95XX (NX9500 and NX9510), NX9600, VX9000 Site controller RFS4000, RFS6000, NX5500, or NX95XX NOTE: Standalone devices have to be manually upgraded. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|

ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|

ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-

image|rf-domain]

device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 41 USER EXEC MODE COMMANDS device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time

<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|

ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|

ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|

on rf-domain [<RF-DOMAIN-NAME>|all]]

device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx5500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-

NAME>}

device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location

<WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|

no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

Parameters device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}}

<MAC/HOSTNAME>

no-reboot reboot-time <TIME>

upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword

<MAC/HOSTNAME> Specify the devices MAC address or hostname. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

all force no-reboot reboot-time <TIME>

Upgrades firmware on all devices Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 42 USER EXEC MODE COMMANDS upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted). reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time) without network impact device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time

<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade

<DEVICE-TYPE> all force no-reboot reboot-time <TIME>

Upgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After selecting the device type, schedule an automatic upgrade and/or an automatic reboot. Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Optional. Schedules an automatic firmware upgrade on all devices, of the specified type, on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time) without network impact Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 43 USER EXEC MODE COMMANDS device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|

ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|

ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|

on rf-domain [<RF-DOMAIN-NAME>|all]]

cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:

Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames. Cancels upgrade on all devices within the network Cancels upgrade on all devices of a specific type. Specify the device type. Cancels upgrade on specific device(s) or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name. cancel-upgrade

[<MAC/HOSTNAME>|

all]

Cancels a scheduled firmware upgrade on a specified device or on all devices

<MAC/HOSTNAME> Cancels a scheduled upgrade on the device identified by the

<MAC/HOSTNAME> keyword. Specify the devices MAC address or hostname. cancel-upgrade

<DEVICE-TYPE> all cancel-upgrade on rf-domain

[<RF-DOMAIN-

NAME>|all]

all Cancels scheduled upgrade on all devices Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains

<RF-DOMAIN-NAME> Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name. all Cancels scheduled device upgrade on all devices across all RF Domains device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-

NAME>}

load-image

<DEVICE-TYPE>

<IMAGE-URL>

Loads device firmware image from a specified location. Use this command to specify the device type and the location of the corresponding image file.

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After specifying the device type, provide the location of the required device firmware image. Specify the devices firmware image location in one of the following formats:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 44 USER EXEC MODE COMMANDS IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file on <DEVICE-OR-

DOMAIN-NAME>

Specify the name of the device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-

controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

rf-domain

[<RF-DOMAIN-

NAME>|all|

containing <WORD>|

filter location

<WORD>]

<DEVICE-TYPE>

<MAC/HOSTNAME>

force from-controller Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.

<RF-DOMAIN-NAME> Upgrades devices in the RF Domain identified by the <RF-

DOMAIN-NAME> keyword.

<RF-DOMAIN-NAME> Specify the RF Domain name. all Upgrades devices across all RF Domains containing <WORD> Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded. filter location <WORD> Filters devices by their location. All devices with location matching the <WORD> keyword are upgraded. After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Optional. Use this option to identify specific devices for upgradation. Specify the devices MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded. Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options:

no-reboot, reboot-time, upgrade-time, or reboot-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 45 USER EXEC MODE COMMANDS no-reboot

{staggered-reboot}

reboot-time <TIME>

{staggered-reboot}

staggered-reboot upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is common to all of the above. Optional. Enables staggered reboot (one at a time) without network impact Optional. Schedules an automatic firmware upgrade

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. After a scheduled upgrade, the following actions can be performed. no-reboot Optional. Disables automatic reboot after a successful upgrade the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Example nx9500-6C8809>show adoption status

--------------------------------------------------------------------------------

------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME

--------------------------------------------------------------------------------

------------------------

rfs6000-81742D 5.9.1.0-012D configured No nx9500-6C8809 2 days 12:23:52 13 days 22:32:38 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 13 days 22:47:46 16 days 22:33:25

--------------------------------------------------------------------------------

------------------------

Total number of devices displayed: 2 nx9500-6C8809>

nx9500-6C8809>show device-upgrade versions

--------------------------------------------------------------------------------

CONTROLLER DEVICE-TYPE VERSION

--------------------------------------------------------------------------------

nx9500-6C8809 ap621 5.9.0.0-014D nx9500-6C8809 ap622 5.9.1.0-012D nx9500-6C8809 ap650 5.9.1.0-012D nx9500-6C8809 ap6511 none nx9500-6C8809 ap6521 5.9.0.0-014D nx9500-6C8809 ap6522 5.9.1.0-012D nx9500-6C8809 ap6532 5.9.1.0-012D nx9500-6C8809 ap6562 5.9.1.0-012D nx9500-6C8809 ap71xx 5.9.1.0-012D nx9500-6C8809 ap7502 5.9.1.0-012D nx9500-6C8809 ap7522 5.9.1.0-012D nx9500-6C8809 ap7532 5.9.1.0-012D nx9500-6C8809 ap7562 5.9.1.0-012D nx9500-6C8809 ap7602 5.9.1.0-012D nx9500-6C8809 ap7612 5.9.1.0-012D nx9500-6C8809 ap7622 5.9.1.0-012D nx9500-6C8809 ap7632 5.9.1.0-012D nx9500-6C8809 ap7662 5.9.1.0-012D nx9500-6C8809 ap81xx 5.9.1.0-012D nx9500-6C8809 ap82xx 5.9.1.0-012D nx9500-6C8809 ap8432 5.9.1.0-012D nx9500-6C8809 ap8533 5.9.1.0-012D nx9500-6C8809 nx45xx none nx9500-6C8809 nx5500 none Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 46 USER EXEC MODE COMMANDS nx9500-6C8809 nx65xx none nx9500-6C8809 nx75xx none nx9500-6C8809 nx9000 none nx9500-6C8809 rfs4000 5.9.1.0-012D nx9500-6C8809 rfs6000 5.9.1.0-012D nx9500-6C8809 rfs7000 5.9.0.0-010D nx9500-6C8809 vx9000 none

--------------------------------------------------------------------------------

nx9500-6C8809>

nx9500-6C8809#device-upgrade load-image rfs6000 ftp://

anonymous:anonymous@192.168.13.10/LatestBuilds/W591/RFS6000-LEAN-5.9.1.0-

015D.img

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

nx9500-6C8809 Success Successfully initiated load image

--------------------------------------------------------------------------------

nx9500-6C8809#

nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is complete nx9500-6C8809#

nx9500-6C8809>show device-upgrade versions

--------------------------------------------------------------------------------

CONTROLLER DEVICE-TYPE VERSION

--------------------------------------------------------------------------------

nx9500-6C8809 ap621 5.9.0.0-014D nx9500-6C8809 ap622 5.9.1.0-012D nx9500-6C8809 ap650 5.9.1.0-012D nx9500-6C8809 ap6511 none nx9500-6C8809 ap6521 5.9.0.0-014D nx9500-6C8809 ap6522 5.9.1.0-012D nx9500-6C8809 ap6532 5.9.1.0-012D nx9500-6C8809 ap6562 5.9.1.0-012D nx9500-6C8809 ap71xx 5.9.1.0-012D nx9500-6C8809 ap7502 5.9.1.0-012D nx9500-6C8809 ap7522 5.9.1.0-012D nx9500-6C8809 ap7532 5.9.1.0-012D nx9500-6C8809 ap7562 5.9.1.0-012D nx9500-6C8809 ap7602 5.9.1.0-012D nx9500-6C8809 ap7612 5.9.1.0-012D nx9500-6C8809 ap7622 5.9.1.0-012D nx9500-6C8809 ap7632 5.9.1.0-012D nx9500-6C8809 ap7662 5.9.1.0-012D nx9500-6C8809 ap81xx 5.9.1.0-012D nx9500-6C8809 ap82xx 5.9.1.0-012D nx9500-6C8809 ap8432 5.9.1.0-012D nx9500-6C8809 ap8533 5.9.1.0-012D nx9500-6C8809 nx45xx none nx9500-6C8809 nx5500 none nx9500-6C8809 nx65xx none nx9500-6C8809 nx75xx none nx9500-6C8809 nx9000 none nx9500-6C8809 rfs4000 5.9.1.0-012D nx9500-6C8809 rfs6000 5.9.1.0-015D nx9500-6C8809 rfs7000 5.9.0.0-010D nx9500-6C8809 vx9000 none

--------------------------------------------------------------------------------

nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 47 USER EXEC MODE COMMANDS nx9500-6C8809>device-upgrade rfs6000-81742D

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

B4-C7-99-6C-88-09 Success Queued 1 devices to upgrade

--------------------------------------------------------------------------------

nx9500-6C8809>

nx9500-6C8809>show device-upgrade status Number of devices currently being upgraded : 1 Number of devices waiting in queue to be upgraded : 0 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0

--------------------------------------------------------------------------------

------------------------------

DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY

--------------------------------------------------------------------------------

------------------------------

rfs6000-81742D downloading immediate immediate 17 0 -

nx9500-6C8809

--------------------------------------------------------------------------------

------------------------------

nx9500-6C8809>

nx9500-6C8809>show adoption status

--------------------------------------------------------------------------------

-------------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-

ADOPTION UPTIME

--------------------------------------------------------------------------------

-------------------------------

rfs6000-81742D 5.9.1.0-015D version-mismatch No nx9500-6C8809 0 days 00:00:42 0 days 00:03:33 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 13 days 23:09:38 16 days 22:55:17

--------------------------------------------------------------------------------

--------------------------------

Total number of devices displayed: 2 nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 48 USER EXEC MODE COMMANDS 2.1.14 disable User Exec Commands This command can be executed in the Priv Exec Mode only. When executed, the command turns off

(disables) the privileged mode command set and returns to the User Executable Mode. The prompt changes from rfs6000-81742D# to rfs6000-81742D>. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable Parameters None Example rfs6000-81742D#disable rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 49 USER EXEC MODE COMMANDS 2.1.15 enable User Exec Commands Turns on (enables) the privileged mode command set. The prompt changes from rfs6000-81742D> to rfs6000-81742D#. This command does not do anything in the Privilege Executable mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-81742D>enable rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 50 USER EXEC MODE COMMANDS 2.1.16 file-sync User Exec Commands Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:

The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication. Execute the command on the controller adopting the access points. Ensure that the X.509 certificate file is installed on the controller. Syncing of trustpoint/wireless-bridge certificate can be automated. To automate file syncing, in the controllers device/profile configuration mode, execute the following command: file-sync [auto|count <1-

20>]. For more information, see file-sync. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632,AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax file-sync [cancel|load-file|trustpoint|wireless-bridge]

file-sync cancel [trustpoint|wireless-bridge]

file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain

[<DOMAIN-NAME>|all]]

file-sync load-file [trustpoint|wireless-bridge]]

file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>

file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|

rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

Parameters file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain

[<DOMAIN-NAME>|all]]

file-sync cancel

[trustpoint|

wireless-bridge]

[<DEVICE-NAME>|

all|rf-domain

[<DOMAIN-NAME>|

all]]

Cancels scheduled file synchronization trustpoint Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain wireless-bridge Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain

<DEVICE-NAME> Cancels scheduled trustpoint/certificate synchronization on a specified AP. Specify the APs hostname or MAC address. all Cancels scheduled trustpoint/certificate synchronization on all APs Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 51 USER EXEC MODE COMMANDS rf-domain [<DOMAIN-NAME>|all] Cancels scheduled trustpoint/certificate syn-

chronization on all APs in a specified RF Domain or in all RF Domains

<DOMAIN-NAME> Cancels scheduled trustpoint/certificate synchronization on all APs within a specified RF Domain. Specify the RF Domains name. all Cancels scheduled trustpoint/certificate synchronization on all RF Domains file-sync load-file [trustpoint|wireless-bridge] <URL>

file-sync load-file

[trustpoint|

wireless-bridge]

<URL>

Loads the following files on to the staging controller:

trustpoint Loads the trustpoint, including CA certificate, server certificate and private key wireless-bridge Loads the wireless-bridge certificate to the staging controller Use this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.

<URL> Provide the trustpoint/certificate location using one of the following for-

mats:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Note: Both IPv4 and IPv6 address types are supported. file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-

domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

file-sync trustpoint

<TRUSTPOINT-

NAME>

[<DEVICE-NAME>|

all|rf-domain

[<DOMAIN-NAME>

|all] from-controller]

Configures file-syncing parameters trustpoint <TRUSTPOINT-NAME> Syncs a specified trustpoint between controller and its adopted APs

<TRUSTPOINT-NAME> Specify the trustpoint name. wireless-bridge Syncs wireless-bridge certificate between controller and its adopted APs After specifying the file that is to be synced, configure following file-sync parameters:

<DEVICE-NAME> Syncs trustpoint/certificate with a specified AP. Specify the APs hostname or MAC address. all Syncs trustpoint/certificate with all APs rf-domain [<DOMAIN-NAME>|all] Syncs trustpoint/certificate with all APs in a specified RF Domain or in all RF Domains

<DOMAIN-NAME> Select to sync with APs within a specified RF Domain. Specify the RF Domains name. all Select to sync with APs across all RF Domains from-controller Optional. Loads certificate to the APs from the adopting controller and not the RF Domain manager After specifying the access points, specify the following options: reset-radio and upload-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 52 USER EXEC MODE COMMANDS reset-radio This keyword is recursive and applicable to all of the above parameters. Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the bridge EAP username and bridge EAP password. upload-time <TIME> This keyword is recursive and applicable to all of the above parameters. upload-time Optional. Schedules certificate upload at a specified time

<TIME> Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no time is configured, the process is initiated as soon as the command is executed. Example rfs6000-81742D>file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-

12:30

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

B4-C7-99-6D-CD-4B Success Queued 1 APs to upload

--------------------------------------------------------------------------------

rfs6000-81742D>

The following command uploads certificate to all access points:

rfs6000-81742D>file-sync wireless-bridge all upload-time 06/01/2017-23:42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 53 USER EXEC MODE COMMANDS 2.1.17 join-cluster User Exec Commands Adds a device (access point, wireless controller, or service platform), as a member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax join-cluster <IP> user <USERNAME> password <WORD> {level|mode}

join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode

[active|standby]}

Parameters join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode

[active|standby]}

join-cluster

<IP>

user <USERNAME>

password <WORD>

level [1|2]

mode

[active|standby]

Usage Guidelines Adds an access point, wireless controller, or service platform to an existing cluster Specify the cluster members IP address. Specify a user account with super user privileges on the new cluster member Specify password for the account specified in the user parameter Optional. Configures the routing level 1 Configures level 1 routing 2 Configures level 2 routing Optional. Configures the cluster mode active Configures this cluster as active standby Configures this cluster to be on standby mode To add a device to an existing cluster:

Configure a static IP address on the device (access point, wireless controller, or service platform). Provide username and password for superuser, network admin, system admin, or operator accounts. After adding the device to a cluster, execute the write memory command to ensure the configuration persists across reboots. Example rfs4000-880DA7>join-cluster 192.168.13.15 user admin password superuser level 1 mode standby

... connecting to 192.168.13.15

... applying cluster configuration

... committing the changes

... saving the changes

[OK]

rfs4000-880DA7>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 54 USER EXEC MODE COMMANDS rfs4000-880DA7>show context

!

! Configuration of RFS4000 version 5.9.1.0-012D

!

!

version 2.5

!

!

................................................................................ interface vlan1 ip address 192.168.13.15/24 no ipv6 enable no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.15 logging on logging console warnings logging buffered warnings

!

!

end rfs4000-880DA7>

Related Commands cluster create-cluster Initiates cluster context. The cluster context enables centralized management and configuration of all cluster members from any one member. Creates a new cluster on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 55 USER EXEC MODE COMMANDS 2.1.18 l2tpv3 User Exec Commands Establishes and/or brings down a Layer 2 Tunnel Protocol Version 3 (L2TPV3) tunnel Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 tunnel [<TUNNEL-NAME>|all]

l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]

l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

Parameters l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel

<TUNNEL-NAME>

[down|up]

Establishes or brings down L2TPv3 tunnels Specifies the tunnel name to establish or bring down down Brings down the specified tunnel up Establishes the specified tunnel Optional. Establishes or brings down a tunnel on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

on

<DEVICE-NAME>

l2tpv3 tunnel

<TUNNEL-NAME>

[session

<SESSION-NAME>]

[down|up]

Establishes or brings down L2TPv3 tunnels Establishes or brings down a specified session inside an L2TPv3 tunnel

<TUNNEL-NAME> Specify the tunnel name. session <SESSION-NAME> Identifies a specific session

<SESSION-NAME> Specify the session name. down Brings down the session identified by the <SESSION-NAME> key-

word up Establishes the session identified by the <SESSION-NAME> keyword on

<DEVICE-NAME>

Optional. Establishes or brings down a tunnel session on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel all [down|up]

Establishes or brings down L2TPv3 tunnels Establishes or brings down all L2TPv3 tunnels down Brings down all tunnels up Establishes all tunnels Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 56 USER EXEC MODE COMMANDS on

<DEVICE-NAME>

Optional. Establishes or brings down all tunnels on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D>l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742D NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 57 USER EXEC MODE COMMANDS 2.1.19 logging User Exec Commands Modifies message logging settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings}

Parameters logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings}

monitor Sets the terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system uses default settings, if no logging severity level is specified.

<0-7> Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:

alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4) Note: Before configuring the message logging level, ensure logging module is enabled. To enable message logging, in the devices configuration mode, execute the logging > on command. Message logging can also be enabled on a profile. All devices using the profile will have message logging enabled. Example rfs6000-81742D(config-device-00-15-70-81-74-2D)##logging on rfs6000-81742D>logging monitor debugging rfs6000-81742D>show logging Logging module: enabled Aggregation time: disabled Console logging: level warnings Monitor logging: level debugging Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (69317 bytes):

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 58 USER EXEC MODE COMMANDS Apr 04 11:53:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM Apr 04 11:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM

--More--

rfs6000-81742D>

Related Commands no Resets terminal lines logging levels Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 59 USER EXEC MODE COMMANDS 2.1.20 mint User Exec Commands Uses MiNT protocol to perform a ping and traceroute to a remote device Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint [ping|traceroute]

mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}

mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|source-

port <1-65535>|timeout <1-255>)}

Parameters mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}

ping <MINT-ID>

count <1-10000>

size <1-64000>

timeout <1-10>

Sends a MiNT echo message to a specified destination

<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the pings to the MiNT destination

<1- 10000> Specify a value from 1 - 10000. The default is 3. Optional. Sets the MiNT payload size in bytes

<1-64000> Specify a value from 1 - 640000 bytes. The default is 64 bytes. Optional. Sets a response time in seconds

<1-10> Specify a value from 1 sec - 10 sec. The default is 1 second. mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|

source-port <1-65535>|timeout <1-255>)}

traceroute

<MINT-ID>

destination-port

<1-65535>

max-hops <1-255>

source-port

<1-65535>

timeout <1-255>

Prints the route packets trace to a device

<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port

<1- 65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction

<1- 255> Specify a value from 1 - 255. The default is 30. Optional. Sets the ECMP source port

<1- 65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the minimum response time period in seconds

<1- 255> Specify a value from 1 sec - 255 sec. The default is 30 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 60 USER EXEC MODE COMMANDS Example rfs6000-81742D>mint ping 19.6C.88.09 MiNT ping 19.6C.88.09 with 64 bytes of data. Response from 19.6C.88.09: id=1 time=0.219 ms Response from 19.6C.88.09: id=2 time=0.145 ms Response from 19.6C.88.09: id=3 time=0.127 ms

--- 19.6C.88.09 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.127/0.164/0.219 ms rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 61 USER EXEC MODE COMMANDS 2.1.21 no User Exec Commands Use the no command to revert a command or to set parameters to their default. This command turns off an enabled feature or reverts settings to default. NOTE: The no command sub-set of commands changes with the context in which it is executed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adoption|captive-portal|crypto|debug|logging|page|service|terminal|

virtual-machine|wireless]

no adoption {on <DEVICE-OR-DOMAIN-NAME>}

NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it. no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]

{on <DEVICE-OR-DOMAIN-NAME>}

no crypto pki [server|trustpoint]

no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|

on <DEVICE-NAME>}

no logging monitor no page no service [block-adopter-config-update|locator|snmp|ssm|wireless]

no service snmp sysoid wing5 no service block-adopter-config-update no service ssm trace pattern {<WORD>} {on <DEVICE-NAME>}

no service wireless [trace pattern {<WORD>} {on <DEVICE-NAME>}|unsanctioned ap air-

terminate <BSSID> {on <DOMAIN-NAME>}]

no service locator {on <DEVICE-NAME>}

no terminal [length|width]

no virtual-machine assign-usb-ports {on <DEVICE-NAME>}

no wireless client [all|<MAC>]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 62 USER EXEC MODE COMMANDS no wireless client all {filter|on}

no wireless client all {filter [wlan <WLAN-NAME>]}

no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}

no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}

Parameters no <PARAMETERS>

no <PARAMETERS>

Resets or reverts settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs4000-880DA7>no adoption rfs4000-880DA7>no page Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 63 USER EXEC MODE COMMANDS 2.1.22 on User Exec Commands Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax on rf-domain [<RF-DOMAIN-NAME>|all]

Parameters on rf-domain [<RF-DOMAIN-NAME>|all]

on rf-domain

[<RF-DOMAIN-

NAME>|all]

Enters the RF Domain context based on the parameter specified

<RF-DOMAIN-NAME> Specify the RF Domain name. Enters the specified RF Domain context. all Specifies all RF Domains. Example nx9500-6C8809>on rf-domain TechPubs nx9500-6C8809(TechPubs)>?

on RF-Domain Mode commands:

clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(TechPubs)>

nx9500-6C8809(rf-domain-all)>?

on RF-Domain Mode commands:

clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(rf-domain-all)>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 64 USER EXEC MODE COMMANDS 2.1.23 opendns User Exec Commands Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is a reliable DNS service that provides the following services: DNS query resolution, Web-filtering, protection against virus and malware attacks, performance enhancement, etc. This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers. For more information on integrating WiNG devices with OpenDNS site, see Enabling OpenDNS Support. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns [APIToken|username]

opendns APIToken <OPENDNS-APITOKEN>

opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Note, as per the current implementation both of the above commands can be used to fetch the device_id from the OpenDNS site. Parameters opendns APIToken <OPENDNS-APITOKEN>

opendns APIToken

<OPENDNS-

APITOKEN>

Fetches the device_id from the OpenDNS site using the OpenDNS API token Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.

<OPENDNS-APITOKEN> Provide the OpenDNS API token (should be a valid token). For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data

(representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

opendns username

<USERNAME>

Fetches the device_id from the OpenDNS site using the OpenDNS credentials Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.

<USERNAME> Provide the OpenDNS user name (should be a valid OpenDNS username). Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 65 USER EXEC MODE COMMANDS password

<OPENDNS-PSWD>

Configures the password associated with the user name specified in the previous step

<OPENDNS-PSWD> Provide the OpenDNS password (should be a valid OpenDNS password). label <LABEL>

Usage Guidelines Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.

<LABEL> Specify your network label. For every set of user name, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. Use your OpenDNS credentials to logon to the opendns.org site and use the labels, edit settings, and customize content filtering options to configure Web filtering settings. Example ap7161-E6D512>opendns username bob@examplecompany.com password opendns label company_name Connecting to OpenDNS server... device_id = 0014AADF8EDC6C59 ap7161-E6D512>

nx9600-7F3C7F>opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id

= 001480fe36dcb245 nx9600-7F3C7F>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 66 USER EXEC MODE COMMANDS 2.1.24 page User Exec Commands Toggles a devices paging function. When executed, this command enables the display of CLI command outputs page by page, instead of running the entire output at once. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602. AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax page Parameters None Example rfs4000-880DA7>page rfs4000-880DA7>

Related Commands no Disables device paging Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 67 USER EXEC MODE COMMANDS 2.1.25 ping User Exec Commands Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|

source [<IP>|pppoe|vlan <1-4094>|wwan]}

Parameters ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|

source[<IP>|pppoe|vlan <1-4094>|wwan]}

<IP/HOSTNAME>

count <1-10000>

dont-fragment

{count|size}

size <1-64000>

source

[<IP>|pppoe|

vlan <1-4094>|

wwan]

Specify the destination IP address or hostname. When entered without any parameters, this command prompts for an IP address or a hostname. Optional. Sets the pings to the specified destination

<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the dont fragment bit in the ping packet. Packets with the dont-

fragment bit specified are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified maximum transmission unit (MTU) value, an error message is sent from the device trying to fragment it. count <1-10000> Optional. Sets the pings to the specified destination from 1 - 10000. The default is 5. size <1-64000> Optional. Sets the ping payload size from 1 - 64000 bytes. The default is 100 bytes. Optional. Sets the ping payload size in bytes

<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.

<IP> Specifies the source IP address pppoe Selects the PPP over Ethernet interface vlan <1-4094> Selects the VLAN interface from 1 - 4094 wwan Selects the wireless WAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 68 USER EXEC MODE COMMANDS Example rfs6000-81742D>ping 192.168.13.13 count 4 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.291 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.243 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.239 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.232 ms

--- 192.168.13.13 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.232/0.251/0.291/0.025 ms rfs6000-81742D>

rfs6000-81742D>ping 10.233.89.182 source vlan 1 PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data. From 192.168.13.2 icmp_seq=1 Packet filtered From 192.168.13.2 icmp_seq=2 Packet filtered From 192.168.13.2 icmp_seq=3 Packet filtered From 192.168.13.2 icmp_seq=4 Packet filtered From 192.168.13.2 icmp_seq=5 Packet filtered

--- 10.233.89.182 ping statistics ---

5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997ms rfs6000-81742D>>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 69 USER EXEC MODE COMMANDS 2.1.26 ping6 User Exec Commands Sends ICMPv6 echo messages to a user-specified IPv6 address Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

Parameters ping <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}

<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.

<INTF-NAME>

count <1-10000>

Specify the interface name for link local/broadcast address Optional. Sets the pings to the specified IPv6 destination

<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the IPv6 ping payload size in bytes

<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. size <1-64000>

Usage Guidelines To configure a devices IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address

<IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6. Example rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#show ipv6 interface brief

--------------------------------------------------------------------------------

INTERFACE IPV6 MODE IPV6-ADDRESS/MASK TYPE STATUS PROTOCOL

--------------------------------------------------------------------------------

vlan1 True fe80::223:68ff:fe88:da7/64 Link-Local UP up vlan1 True 2001:10:10:10:10:10:10:1/64 Global-Permanent UP up vlan2 False UNASSIGNED None UP up

--------------------------------------------------------------------------------

rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#

rfs4000-229D58>ping6 2001:10:10:10:10:10:10:1 count 6 PING 2001:10:10:10:10:10:10:1(2001:10:10:10:10:10:10:1) 100 data bytes 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=1 ttl=64 time=0.401 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=2 ttl=64 time=0.311 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=3 ttl=64 time=0.300 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=4 ttl=64 time=0.309 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=5 ttl=64 time=0.299 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=6 ttl=64 time=0.313 ms

--- 2001:10:10:10:10:10:10:1 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 6999ms rtt min/avg/max/mdev = 0.299/0.318/0.401/0.031 ms rfs4000-229D58>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 70 USER EXEC MODE COMMANDS 2.1.27 ssh User Exec Commands Opens a Secure Shell (SSH) connection between two network devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

Parameters ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}

<IP/HOSTNAME>

<USERNAME>

<INF-NAME/

LINK-LOCAL-ADD>

Specify the remote systems IP address or hostname. Specify the name of the user requesting SSH connection with the remote system. Optional. Specify the interfaces name or link local address. Example nx9500-6C8809>ssh 192.168.13.24 admin admin@192.168.13.24's password:

rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 71 USER EXEC MODE COMMANDS 2.1.28 telnet User Exec Commands Opens a Telnet session between two network devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

Parameters telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

<IP/HOSTNAME>

<TCP-PORT>

<INTF-NAME>

Configures the destination remote systems IP (IPv4 or IPv6) address or hostname. The Telnet session is established between the connecting system and the remote system.

<IP/HOSTNAME> Specify the remote systems IPv4 or IPv6 address or hostname. Optional. Specify the Transmission Control Protocol (TCP) port number. Optional. Specify the interface name for the link local address. Example nx9500-6C8809#telnet 192.168.13.10 Entering character mode Escape character is '^]'. Welcome to Microsoft Telnet Service login:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 72 USER EXEC MODE COMMANDS 2.1.29 terminal User Exec Commands Sets the length and width of the CLI display window on a terminal Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terminal [length|width] <0-512>

Parameters terminal [length|width] <0-512>

length <0-512>

width <0-512>

Sets the number of lines displayed on the terminal window

<0-512> Specify a value from 0 - 512. Sets the width (the number of characters displayed in one line) of the terminal window

<0-512> Specify a value from 0 - 512. Example rfs6000-81742D>terminal length 150 rfs6000-81742D>terminal width 215 rfs6000-81742D>show terminal Terminal Type: xterm Length: 150 Width: 215 rfs6000-81742D>

Related Commands no Resets the width or length of the terminal window Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 73 USER EXEC MODE COMMANDS 2.1.30 time-it User Exec Commands Verifies the time taken by a particular command between request and response Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-it <COMMAND>

Parameters time-it <COMMAND>

time-it <COMMAND>

Verifies the time taken by a particular command to execute and provide a result

<COMMAND> Specify the command. Example rfs6000-81742D>time-it enable That took 0.00 seconds.. rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 74 USER EXEC MODE COMMANDS 2.1.31 traceroute User Exec Commands Traces the route to a defined destination Use --help or -h to display a complete list of parameters for the traceroute command Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute <LINE>

Parameters traceroute <LINE>

traceroute <LINE>

Traces the route to a destination IP address or hostname

<LINE> Specify the destination IPv6 address or hostname. Example rfs6000-81742D>traceroute --help BusyBox v1.14.4 () multi-call binary Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]

[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]

[-z pausemsecs] HOST [data size]Options:

-F Set the don't fragment bit

-I Use ICMP ECHO instead of UDP datagrams

-l Display the ttl value of the returned packet

-d Set SO_DEBUG options to socket

-n Print hop addresses numerically rather than symbolically

-r Bypass the normal routing tables and send directly to a host

-v Verbose

-m max_ttl Max time-to-live (max number of hops)

-p port# Base UDP port number used in probes

(default is 33434)

-q nqueries Number of probes per 'ttl' (default 3)

-s src_addr IP address to use as the source address

-t tos Type-of-service in probe packets (default 0)

-w wait Time in seconds to wait for a response

(default 3 sec)

-g Loose source route gateway (8 max) rfs6000-81742D>

rfs6000-81742D>traceroute 192.168.13.13 traceroute to 192.168.13.13 (192.168.13.13), 30 hops max, 38 byte packets 1 192.168.13.13 (192.168.13.13) 1.150 ms 0.261 ms 0.214 ms rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 75 USER EXEC MODE COMMANDS 2.1.32 traceroute6 User Exec Commands Traces the route to a specified IPv6 destination Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute6 <LINE>

Parameters traceroute6 <LINE>

traceroute6 <LINE>

Traces the route to a destination IPv6 address or hostname

<LINE> Specify the destination IPv6 address or hostname. Example rfs6000-81742D>traceroute6 2001:10:10:10:10:10:10:1 traceroute to 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) from 2001:10:10:10:10:10:10:2, 30 hops max, 16 byte packets 1 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) 6.054 ms 0.448 ms 0.555 ms rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 76 USER EXEC MODE COMMANDS 2.1.33 virtual-machine User Exec Commands Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controller Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax virtual-machine [assign-usb-ports|export|install|restart|set|start|stop|

uninstall]

virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]

virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]

virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|

vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-

INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

The following virtual-machine commands are supported only on the VX9000 platform:

virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-

group]

virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>

virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-

DEVICE-LABEL>

virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>

Parameters virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

assign-usb-ports team-

vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on <DEVICE-NAME> Optional. Specify the device name. Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG. Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-

VoWLAN. virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.

<VM-NAME> Specify the VM name.

<FILE> Specify the location and name of the source file (VM image). The VM im-

age is retrieved and exported from the specified location.

<URL> Specify the destination location. This is the location to which the VM im-

age is copied. Use one of the following formats to provide the destination path:

Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 77 USER EXEC MODE COMMANDS tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. Note: The VM should be in a stop state during the export process. Note: If the destination is a device, the image is copied to a predefined location (VM archive). virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:

<VM-NAME> Installs a VM having name specified by <VM-NAME> keyword. adsp Installs ADSP team-centro Installs the VM TEAM-Centro image team-rls Installs the VM TEAM-RLS image team-vowlan Installs the VM TEAM-VoWLAN image Specify the device on which to install the VM. on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|

vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-

INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine set Configures the VM settings autostart Specifies whether to autostart the VM on system reboot ignore Enables autostart on each system reboot start Disables autostart memory Defines the VM memory size

<512-8192> Specify the VM memory from 512 - 8192 MB. The default is 1024 MB. vcpus Specifies the number of VCPUS for this VM

<1-4> Specify the number of VCPUS from 1- 4. vif-count Configures or resets the VM's VIFs

<0-2> Specify the VIF number from 0 - 2. vif-mac Configures the MAC address of the selected virtual network interface

<1-2> Select the VIF

<1-8> Specify the MAC index for the selected VIF

<MAC> Specify the customized MAC address for the selected VIF in the AA-BB-

CC-DD-EE-FF format. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 78 USER EXEC MODE COMMANDS Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the set keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VMs interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-

to-vmif command to map a VIF to a VMIF on the DP bridge. vif-to-vmif Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8. WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing. By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules. vnc Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client. disable Disables VNC port enable Enables VNC port After configuring the VM settings, identify the VM to apply the settings.

<VM-NAME> Applies these settings to the VM identified by the <VM-NAME>

keyword. Specify the VM name. adsp Applies these settings to the ADSP VM team-urc Applies these settings to the VM TEAM-URC team-rls Applies these settings to the VM TEAM-RLS team-vowlan Applies these settings to the VM TEAM-VoWLAN virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:

<VM-NAME> Starts the VM identified by the <VM-NAME> keyword. Specify the VM name. adsp Starts the ADSP VM team-urc Starts the VM TEAM-URC team-rls Starts the VM TEAM-RLS team-vowlan Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devic-

es, list the device names separated by commas. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 79 USER EXEC MODE COMMANDS virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine stop hard Stops the VM, based on the parameters passed. Select one of the following options:

<VM-NAME> Stops the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Stops the ADSP VM team-urc Stops the VM TEAM-URC team-rls Stops the VM TEAM-RLS team-vowlan Stops the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple de-

vices, list the device names separated by commas. Note: The option hard forces the selected VM to shutdown. virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine uninstall Uninstalls the specified VM

<VM-NAME> Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Uninstalls the ADSP VM team-urc Uninstalls the VM TEAM-URC team-rls Uninstalls the VM TEAM-RLS team-vowlan Uninstalls the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple de-

vices, list the device names separated by commas. Note: This command releases the VMs resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system. virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]

virtual-machine volume-group [add-

drive|resize-drive]

<BLOCK-DEVICE-

LABEL>]

Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation. Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image. add-drive Adds a new block-device to the VM. Note, currently a maximum of 3

(three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 80 USER EXEC MODE COMMANDS resize-drive - Resizes a drive in the VMs volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command. The following keyword is common to all of the above parameters:

<BLOCK-DEVICE-LABEL> Specify the block-device label to be added or resized depending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-

DEVICE-LABEL>]

virtual-machine volume-group replace-

drive <BLOCK-DEVICE-

LABEL> <NEW-BLOCK-

DEVICE-LABEL>]

Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. replace-drive Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group >

status command

<BLOCK-DEVICE-LABEL> Specify the block-device label to be replaced.

<BLOCK-DEVICE-LABEL> Specify the replacement block-device label. virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]

virtual-machine volume-group resize-

volume-group <BLOCK-

DEVICE-LABEL>]

Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives resize-volume-group Adds drive space to an existing block-device in the volume-

group

<BLOCK-DEVICE-LABEL> Specify the block-device label to which additional drive space is to be provided Example The following examples show the VM installation process:

Insatllation media: USB

<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable Installation media: pre-installed disk image

<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/

win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on

<DEVICE-NAME>

In the preceding example, the command is executed on the device identified by the

<DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device. Installation media: VM archive

<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-

NAME> vcpus 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 81 USER EXEC MODE COMMANDS In the preceding example, the default configuration attached with the VM archive overrides any parameters specified. Exporting an installed VM:

<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>

In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state).

<exsw6>>virtual-machine install team-urc Virtual Machine install team-urc command successfully sent.

<exsw6>>

vx9000-DE6F97>cirtual-machine add-drive sdb vx9000-DE6F97>show virtual-machine volume-group status

-----------------------------------------

Logical Volume: lv1

-----------------------------------------

STATUS : available SIZE : 81.89 GiB VOLUME GROUP : vg0 PHYSICAL VOLUMES :

sda10 : 73.90 GiB sdc1 : 8.00 GiB AVAILABLE DISKS :

sdb : size: 8590MB

-----------------------------------------

* indicates a drive that must be resized

-----------------------------------------

vx9000-DE6F97>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 82 USER EXEC MODE COMMANDS 2.1.34 watch User Exec Commands Repeats the specified CLI command at periodic intervals Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax watch <1-3600> <LINE>

Parameters watch <1-3600> <LINE>

watch

<1-3600>

<LINE>

Example Repeats a CLI command at a specified interval (in seconds) Select an interval from 1 - 3600 sec. Pressing CTRL-Z halts execution of the command. Specify the CLI command. rfs6000-81742D>watch 40 ping 192.168.13.13 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.335 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.217 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.209 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.202 ms 108 bytes from 192.168.13.13: icmp_seq=5 ttl=64 time=0.235 ms

--- 192.168.13.13 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.202/0.239/0.335/0.051 ms rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 83 USER EXEC MODE COMMANDS 2.1.35 exit User Exec Commands Ends the current CLI session and closes the session window For more information, see exit. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example rfs6000-81742D>exit Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 84 3 PRIVILEGED EXEC MODE COMMANDS Most PRIV EXEC commands set operating parameters. Privileged-level access should be password protected to prevent unauthorized use. The PRIV EXEC command set includes commands contained within the USER EXEC mode. The PRIV EXEC mode also provides access to configuration modes, and includes advanced testing commands. NOTE: To password-protect the Privilege mode, in the Management Policy, configure the privilege-mode-password. For more information, see privilege-mode-password. The PRIV EXEC mode prompt consists of the hostname of the device followed by a pound sign (#). To access the PRIV EXEC mode, enter the following at the prompt:

<DEVICE>>enable

<DEVICE>#

The PRIV EXEC mode is often referred to as the enable mode, because the enable command is used to enter the mode. There is no provision to configure a password to get direct access to PRIV EXEC (enable) mode.

<DEVICE>#?

Privileged command commands:

archive Manage archive files boot Boot commands captive-portal-page-upload Captive portal internal and advanced page upload cd Change current directory change-passwd Change password clear Clear clock Configure software system clock cluster Cluster commands commit Commit all changes made in this session configure Enter configuration mode connect Open a console connection to a remote device copy Copy contents of one dir to another cpe T5 CPE configuration create-cluster Create a cluster crypto Encryption related commands crypto-cmp-cert-update Update the cmp certs database Database database-backup Backup database database-restore Restore database debug Debugging functions delete Deletes specified file from the system device-upgrade Device firmware upgrade diff Display differences between two files dir List files on a filesystem disable Turn off privileged mode command edit Edit a text file enable Turn on privileged mode command erase Erase a filesystem ex3500 EX3500 commands factory-reset Delete startup configuration on device(s), reload the device(s) and remove configuration entry from the controller file-sync File sync between controller and adoptees format Format file system Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1 PRIVILEGED EXEC MODE COMMANDS halt Halt the system help Description of the interactive help system join-cluster Join the cluster l2tpv3 L2tpv3 protocol logging Modify message logging facilities mint MiNT protocol mkdir Create a directory more Display the contents of a file no Negate a command or set its defaults on On RF-Domain opendns Opendns username/password configuration page Toggle paging ping Send ICMP echo messages ping6 Send ICMPv6 echo messages pwd Display current directory raid RAID operations re-elect Perform re-election reload Halt and perform a warm reboot remote-debug Troubleshoot remote system(s) rename Rename a file revert Revert changes rmdir Delete a directory self Config context of the device currently logged into service Service Commands show Show running system information ssh Open an ssh connection t5 T5 commands telnet Open a telnet connection terminal Set terminal line parameters time-it Check how long a particular command took between request and completion of response traceroute Trace route to destination traceroute6 Trace route to destination(IPv6) upgrade Upgrade software image upgrade-abort Abort an ongoing upgrade virtual-machine Virtual Machine watch Repeat the specific CLI command at a periodic interval write Write running configuration to memory or terminal clrscr Clears the display screen exit Exit from the CLI

<DEVICE>#

NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 2 PRIVILEGED EXEC MODE COMMANDS 3.1 Privileged Exec Mode Commands PRIVILEGED EXEC MODE COMMANDS The following table summarizes the PRIV EXEC Mode commands:

Table 3.1 Privileged Exec Commands Description Reference Command archive boot Manages file archive operations Specifies the boot partition (primary or secondary). The device uses the image stored in the specified partition to boot. Uploads captive portal advanced pages to adopted access points Changes the current directory captive-portal-

page-upload cd change-passwd Changes the password of a logged user clear clock cluster configure connect copy Clears parameters, cache entries, table entries, and other similar entries Configures the system clock Initiates a cluster context Enters the global configuration mode Begins a console connection to a remote device Copies a file from any location to the wireless controller, service platform, or access point Enables adopted T5 Customer Premises Equipment (CPE) device(s) management. Use this command to perform the following operations on the CPEs: boot, reload, upgrade. This command is specific to the RFS4000, RFS6000, and NX9500 devices. Creates a new cluster on a specified device Enables encryption Triggers a CMP certificate update on a specified device or devices Enables automatic repairing (vacuuming) and dropping of databases

(Captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database. Deletes a specified file from the system cpe create-cluster crypto crypto-cmp-

cert-update database database-

backup database-

restore delete device-upgrade Configures device firmware upgrade parameters diff dir disable edit Displays the differences between two files Displays the list of files on a file system Disables the privileged mode command set Enables ext file editing page 3-6 page 3-8 page 3-9 page 3-13 page 3-14 page 3-15 page 3-28 page 3-29 page 3-30 page 3-31 page 3-32 page 3-33 page 3-35 page 3-37 page 3-46 page 3-47 page 3-50 page 3-52 page 3-53 page 3-54 page 3-60 page 3-61 page 3-62 page 3-63 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 3 PRIVILEGED EXEC MODE COMMANDS Command enable erase ex3500 factory-reset file-sync halt join-cluster l2tpv3 logging mint mkdir more no on opendns page ping ping6 pwd re-elect reload rename rmdir self ssh t5 Table 3.1 Privileged Exec Commands Description Turns on (enables) the privileged mode commands set Erases a file system Enables EX3500 switch firmware management. Use this command to perform the following operations: boot, copy, delete, and IP related configurations. Erases startup configuration on a specified device or all devices within a specified RF Domain Configures parameters enabling syncing of PKCS#12 and wireless-bridge certificate between the staging-controller and adopted access points Halts a device (access point, wireless controller, or service platform) Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices Establishes or brings down Layer 2 Tunneling Protocol Version 3

(L2TPV3) tunnels Modifies message logging parameters Configures MiNT protocols Creates a new directory in the file system Displays the contents of a file Reverts a command or sets values to their default Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, show Connects to the OpenDNS site using OpenDNS registered credentials

(username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process integrating access points, controllers, and service platforms with OpenDNS. Toggles a devices (access point, wireless controller, or service platform) paging function Sends ICMP echo messages to a user-specified location Sends ICMPv6 echo messages to a user-specified location Displays the current directory Re-elects the tunnel controller (wireless controller, service platform, or access point) Halts a device (wireless controller, service platform, or access point) and performs a warm reboot Renames a file in the existing file system Deletes an existing file from the file system Displays the configuration context of the device Connects to another device using a secure shell Executes the following operations on a T5 device: copy, rename, delete, and write. This command is specific to the RFS4000, RFS6000, NX9500 devices. Reference page 3-64 page 3-65 page 3-67 page 3-75 page 3-79 page 3-82 page 3-83 page 3-85 page 3-87 page 3-89 page 3-91 page 3-92 page 3-93 page 3-95 page 3-96 page 3-100 page 3-101 page 3-103 page 3-104 page 3-105 page 3-106 page 3-111 page 3-112 page 3-113 page 3-114 page 3-115 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 4 PRIVILEGED EXEC MODE COMMANDS Table 3.1 Privileged Exec Commands Description Reference Command telnet terminal time-it Opens a Telnet session Sets the length and width of the terminal window Verifies the time taken by a particular command between request and response Traces the route to a defined destination Sends ICMPv6 echo messages to a user-specified location Upgrades the logged devices software image Aborts an ongoing software image upgrade traceroute traceroute6 upgrade upgrade-abort virtual-machine Installs, configures, and monitors the status of virtual machines (VMs) watch raid installed on a WiNG controller Repeats a specified CLI command at a periodic interval Enables RAID management This command is specific to the NX7530, NX9500, and NX9510 service platforms. page 3-117 page 3-118 page 3-119 page 3-120 page 3-121 page 3-122 page 3-126 page 3-127 page 3-133 page 3-135 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 5 PRIVILEGED EXEC MODE COMMANDS 3.1.1 archive Privileged Exec Mode Commands Manages file archive operations Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax archive tar /table [<FILE>|<URL>]

archive tar /create [<FILE>|<URL>] <FILE>

archive tar /xtract [<FILE>|<URL>] <DIR>

Parameters archive tar /table [<FILE>|<URL>]

tar

/table

<FILE>

<URL>

tar

/create

<FILE>

<URL>

tar

/xtract

<FILE>

<URL>

<DIR>

Manipulates (creates, lists, or extracts) a tar file Lists the files in a tar file Defines a tar filename Sets the tar file URL archive tar /create [<FILE>|<URL>] <FILE>

Manipulates (creates, lists or extracts) a tar file Creates a tar file Defines tar filename Sets the tar file URL archive tar /xtract [<FILE>|<URL>] <DIR>

Manipulates (creates, lists or extracts) a tar file Extracts content from a tar file Defines tar filename Sets the tar file URL Specify a directory name. When used with /create, dir is the source directory for the tar file. When used with /xtract, dir is the destination file where contents of the tar file are extracted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 6 PRIVILEGED EXEC MODE COMMANDS Example Following examples show how to zip the folder flash:/log/?

nx9500-6C8809#dir flash:/

Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Mon Apr 3 12:40:23 2017 crashinfo drwx Wed Mar 22 13:58:28 2017 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Apr 5 11:20:11 2017 log drwx Thu Mar 30 15:07:54 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans

-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot nx9500-6C8809#

nx9500-6C8809#archive tar /create flash:/in.tar flash:/log/

log/nsightd.log.1 log/nsight_reportd.log log/messages.1.log log/martdb.log log/reportd.log.2 log/adopts.log.2 log/mongod.log.2 log/dpd2.log log/nsight_server.log log/mart_websock_server.log log/nuxi/

log/nuxi/beanyaml.log log/nuxi/statsreqresp.1.log log/nuxi/hadoop.log.2014-08-03 log/nuxi/puts.log log/nuxi/copy2w.log log/nuxi/obj2yaml.log log/nuxi/infl.log

--More--

nx9500-6C8809#

nx9500-6C8809#dir flash:/

Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Thu Sep 22 00:12:07 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Tue Sep 27 09:59:12 2016 log drwx Mon Sep 26 09:58:54 2016 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans

-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Mon Sep 15 03:40:02 2014 hotspot nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 7 PRIVILEGED EXEC MODE COMMANDS 3.1.2 boot Privileged Exec Mode Commands Specifies the image used after reboot Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax boot system [primary|secondary] {on <DEVICE-NAME>}

Parameters boot system [primary|secondary] {on <DEVICE-NAME>}

system

[primary|secondary]

on

<DEVICE-NAME>

Specifies the image used after a device reboot primary Uses the primary image after reboot secondary Uses the secondary image after reboot Optional. Specifies the primary or secondary image location on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show boot

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 03/26/2017 01:48:56 03/30/2017 15:02:18 5.9.0.0-012D Secondary 03/17/2017 13:13:38 03/22/2017 13:36:50 5.9.0.0-010D

--------------------------------------------------------------------------------

Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#

nx9500-6C8809#boot system secondary Updated system boot partition nx9500-6C8809#

nx9500-6C8809#show boot

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 03/26/2017 01:48:56 03/30/2017 15:02:18 5.9.0.0-012D Secondary 03/17/2017 13:13:38 03/22/2017 13:36:50 5.9.0.0-010D

--------------------------------------------------------------------------------

Current Boot : Primary Next Boot : Secondary Software Fallback : Enabled VM support : Not present nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 8 PRIVILEGED EXEC MODE COMMANDS 3.1.3 captive-portal-page-upload Privileged Exec Mode Commands Uploads captive portal advanced pages to connected access points. Use this command to provide connected access points with specific captive portal configurations so they can successfully provision login, welcome, and condition pages to requesting clients attempting to access the wireless network using the captive portal. NOTE: Ensure that the captive portal pages to be uploaded are *.tar files. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|

load-file]

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]

{upload-time <TIME>}

captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]

{from-controller} {(upload-time <TIME>)}

captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain

{<DOMAIN-NAME>|all]]

captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

Parameters captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]

{upload-time <TIME>}

captive-portal-page-

upload

<CAPTIVE-PORTAL-

NAME>

<MAC/HOSTNAME>

all Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter

<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). Uploads to a specified AP

<MAC/HOSTNAME> Specify the APs MAC address or hostname. Uploads to all APs Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 9 PRIVILEGED EXEC MODE COMMANDS upload-time <TIME> Optional. Schedules an upload time

<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. To view a list of uploaded captive portal files, execute the show > captive-portal-page-upload > list-files <CAPTIVE-PORTAL-NAME> command. captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]

{from-controller} {(upload-time <TIME>)}

captive-portal-page-

upload

<CAPTIVE-PORTAL-

NAME>

rf-domain

[<DOMAIN-NAME>|

all]

Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter

<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). Uploads to all APs within a specified RF Domain or all RF Domains

<DOMAIN-NAME> Uploads to APs within a specified RF Domain. Specify the RF Domain name. from-controller upload-time <TIME> Optional. Schedules an AP upload all Uploads to APs across all RF Domains Optional. Uploads to APs from the adopted device

<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain

[<DOMAIN-NAME>|all]]

captive-portal-page-

upload cancel-upload cancel-upload

[<MAC/

HOSTNAME>|all|

on rf-domain

[<DOMAIN-NAME>|

all]]

Cancels a scheduled AP upload Select one of the following options:

<MAC/HOSTNAME> Cancels a scheduled upload to a specified AP. Specify the AP MAC address or hostname. all Cancels all scheduled AP uploads on rf- domain Cancels all scheduled uploads within a specified RF Domain or all RF Domains

<DOMAIN-NAME> Cancels scheduled uploads within a specified RF Domain. Specify RF Domain name. all Cancels scheduled uploads across all RF Domains captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>

Deletes a specified captive portals uploaded captive-portal internal page files captive-portal-page-

upload delete-file

<CAPTIVE-PORTAL-

NAME> <FILE-

NAME>

Deletes a captive portals, identified by the <CAPTIVE-PORTAL-NAME> keyword, uploaded internal page files

<CAPTIVE-PORTAL-NAME> Specify the captive portals name.

<FILE-NAME> Specify the file name. The specified internal captive portal page is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 10 PRIVILEGED EXEC MODE COMMANDS captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>

captive-portal-page-

upload load-file

<CAPTIVE-PORTAL-

NAME> <URL>

Loads captive-portal advanced pages Specify captive portal name (should be existing and configured) and location.

<URL> Specifies location of the captive-portal's advanced pages. Use one of the following formats:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Note: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload> <CAPTIVE-PORTAL-NAME> > <DEVICE-OR-DOMAIN-

NAME> command to upload these pages to APs. Example ap6562-B1A214#captive-portal-page-upload load-file captive_portal_test tftp://

89.89.89.17/pages_new_only.tar ap6562-B1A214#

ap6562-B1A214#show captive-portal-page-upload load-image-status Download of captive_portal_test advanced page file is complete ap6562-B1A214#

ap6562-B1A214#captive-portal-page-upload captive_portal_test all

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

FC-0A-81-B1-A2-14 Success Added 6 APs to upload queue

--------------------------------------------------------------------------------

ap6562-B1A214#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 11 PRIVILEGED EXEC MODE COMMANDS ap6562-B1A214#show captive-portal-page-upload status Number of APs currently being uploaded : 1 Number of APs waiting in queue to be uploaded : 0

--------------------------------------------------------------------------------

-------

AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY

--------------------------------------------------------------------------------

-------

ap6562-B1A738 downloading immediate 100 0 - None

--------------------------------------------------------------------------------

-------

ap6562-B1A214#

The following example lists captive portal CP-BW uploaded files:

nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW

--------------------------------------------------------------------------------

NAME SIZE LAST MODIFIED

--------------------------------------------------------------------------------

CP-BW-1.tar.gz 6133 2017-05-16 10:38:40 CP-BW.tar.gz 3370 2017-05-16 10:45:44

--------------------------------------------------------------------------------

nx7500-7F2C13#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 12 PRIVILEGED EXEC MODE COMMANDS 3.1.4 cd Privileged Exec Mode Commands Changes the current directory Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cd {<DIR>}

Parameters cd {<DIR>}

<DIR>

Example Optional. Changes the current directory to the directory identified by the <DIR>

keyword. If a directory name is not provided, the system displays the current directory. rfs6000-81742D#cd flash:/log/

rfs6000-81742D#pwd flash:/log/

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 13 PRIVILEGED EXEC MODE COMMANDS 3.1.5 change-passwd Privileged Exec Mode Commands Changes the password of a logged user. When this command is executed without any parameters, the password can be changed interactively. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax change-passwd <OLD-PASSWORD> <NEW-PASSWORD>

Parameters

<OLD-PASSWORD>

<NEW-PASSWORD>

change-passwd <OLD-PASSWORD> <NEW-PASSWORD>

Specify the password to be changed. Specify the new password. Note: The password can also be changed interactively. To do so, press [Enter] after the command. Usage Guidelines A password must be from 1 - 64 characters in length. Example rfs6000-81742D#change-passwd Enter old password:

Enter new password:

Password for user 'admin' changed successfully Please write this password change to memory(write memory) to be persistent. rfs6000-81742D#write memory OK rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 14 PRIVILEGED EXEC MODE COMMANDS 3.1.6 clear Privileged Exec Mode Commands Clears parameters, cache entries, table entries, and other entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where the clear command is executed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: When using the clear command, refer to the interface details provided in interface. Syntax clear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|firewall|gre|

ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-table|mint|role|rtls|

spanning-tree|traffic-shape|vrrp]

clear arp-cache {on <DEVICE-NAME>}

clear bonjour cache {on <DEVICE-NAME>}

clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

clear counters [all|ap|bridge|interface|radio|router|thread|wireless-client]

clear counters [all|bridge|router|thread]

clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|

pppoe1|vlan <1-4094>|wwan1|xge <1-4>]

clear counters radio {<MAC/HOSTNAME>|on}

clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}

clear crypto [ike|ipsec]

clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

clear crypto ipsec sa {on <DEVICE-NAME>}

clear eguest registration statistics clear event-history clear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-

table] {on <DEVICE-NAME>}

clear gre stats {on <DEVICE-NAME>}

clear ip [bgp|dhcp|ospf]

clear ip bgp [<IP>|all|external|process]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 15 PRIVILEGED EXEC MODE COMMANDS clear ip bgp [<IP>|all|external] {in|on|out|soft}

clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

clear ip bgp process {on <DEVICE-NAME>}

clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

clear ip ospf process {on <DEVICE-NAME>}

clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear lacp [<1-4> counters|counters]

clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>}

{(on <DEVICE-NAME>)}

clear license [borrowed|lent]

clear license borrowed {on <DEVICE-NAME>}

clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}

clear logging {on <DEVICE-NAME>}

clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-

NAME>}

clear mac-address-table mac-auth-state address <AMC> vlan <1-4094> {on <DEVICE-

NAME>}

clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1 <1-

4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}

clear mint mlcp history {on <DEVICE-NAME>}

clear role ldap-stats {on <DEVICE-NAME>}

clear rtls [aeroscout|ekahau]

clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|

on <DEVICE-OR-DOMAIN-NAME>}

clear spanning-tree detected-protocols {interface|on <DEVICE-NAME>}

clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-x>|me1|

port-channel <1-x>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}

clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}

clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

The following clear command is specific to the NX95XX series service platforms:

clear logging analytics {on <DEVICE-NAME>}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 16 PRIVILEGED EXEC MODE COMMANDS Parameters clear arp-cache {on <DEVICE-NAME>}

arp-cache on <DEVICE-NAME>

Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses. Optional. Clears ARP cache entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear bonjour cache {on <DEVICE-NAME>}

bonjour cache on <DEVICE-NAME>

Clears all Bonjour cached statistics. Once cleared, the system has to re-discover available Bonjour services. Optional. Clears all Bonjour cached statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear [cdp|lldp] neighbors {on <DEVICE-NAME>}

cdp ldp neighbors on <DEVICE-NAME>

Clears Cisco Discovery Protocol (CDP) table entries Clears Link Layer Discovery Protocol (LLDP) neighbor table entries Clears CDP or LLDP neighbor table entries based on the option selected in the preceding step Optional. Clears CDP or LLDP neighbor table entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear counters [all|bridge|router|thread]

counters

[all|bridge|router|

thread]

Clears counters on a system all Clears all counters irrespective of the interface type bridge Clears bridge counters router Clears router counters thread Clears per-thread counters clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

counters

[ap|wireless-client]

<MAC>

Clears counters on a system ap Clears access point wireless counters wireless-client Clears wireless client counters The following keyword is common to the ap and wireless-client parameters:

<MAC> Optional. Clears counters of the AP/wireless client identified by the <MAC>

keyword. Specify the MAC address of the AP or wireless client. The system clears all AP or wireless client counters, if no MAC address is specified. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 17 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is recursive and is applicable to the <MAC> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/wireless-client counters on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. If no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain. clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|

pppoe1|vlan <1-4094>|wwan1|xge <1-4>]

counters interface

[<INTERFACE-

NAME>|all|

ge <1-X>|me1|

port-channel <1-X>|

pppoe1|vlan <1-4094>|

wwan1|xge <1-4>]

Clears interface counters for a specified interface

<INTERFACE-NAME> Clears a specified interface counters. Specify the interface name. all Clears all interface counters ge <1-X> Clears GigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - X. me1 Clears FastEthernet interface counters port-channel <1- X> Clears port-channel interface counters. Specify the port channel interface index from 1 - X. Note: The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels. pppoe1 Clears Point-to-Point Protocol over Ethernet (PPPoE) interface counters vlan <1-4094> Clears interface counters. Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094. wwan1 Clears wireless WAN interface counters xge <1-4> Clears TenGigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - 4. clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}

counters radio

<MAC/HOSTNAME>

<1-X>

on <DEVICE-OR-

DOMAIN-NAME>

Clears wireless radio counters Clears counters of a radio identified by the <MAC/HOSTNAME> keyword.

<MAC/HOSTNAME> Optional. Specify the hostname or MAC address. Optionally, append the interface number to form radio ID in the form of AA-BB-CC-DD-EE-

FF:RX or HOSTNAME:RX

<1-X> Optional. Specify the radio index (if not specified as part of the radio ID). The maximum number of radio antennas supported varies with the access point type. If no MAC address or radio index is specified, the system clears all radio counters. The following keyword is recursive and is applicable to the <MAC> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/wireless-client counters on a specified device or RF Domain If no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain. clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}

crypto Clears encryption module database Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 18 PRIVILEGED EXEC MODE COMMANDS ike sa [<IP>|all]

on <DEVICE-NAME>

Clears Internet Key Exchange (IKE) security associations (SAs)

<IP> Clears IKE SAs for a certain peer all Clears IKE SAs for all peers Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear crypto ipsec sa {on <DEVICE-NAME>}

Clears encryption module database Clears Internet Protocol Security (IPSec) database SAs on <DEVICE-NAME> Optional. Clears IPSec SA entries on a specified device crypto ipsec sa

{on <DEVICE-NAME>}

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear eguest registration statistics eguest registration statistics Clears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null. This command is applicable only on the NX95XX, NX9600, and the VX9000 model platforms. clear event-history event-history Clears event history cache entries clear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-

table] {on <DEVICE-NAME>}

firewall dhcp snoop-table dos stats flows [ipv4|ipv6]

neighbors snoop-table on <DEVICE-NAME>

Clears firewall event entries Clears DHCP snoop table entries Clears denial of service statistics Clears established IPv4 or IPv6 firewall sessions Clears IPv6 neighbors snoop-table entries The following keywords are common to the DHCP, DOS, and flows parameters:

on <DEVICE-NAME> Optional. Clears DHCP snoop table entries, denial of service statistics, or the established firewall sessions on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. gre stats on <DEVICE-NAME>

clear gre stats {on <DEVICE-NAME>}

Clears GRE tunnel statistics Optional. GRE tunnel statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 19 PRIVILEGED EXEC MODE COMMANDS clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}

ip bgp

[<IP>|all|external]

Clears BGP routing table information based on the option selected

<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears Route Updates Received From All BGP Peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, NX95XX, and NX9600 series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Optional. Clears soft-reconfiguration inbound route updates prefix-filter Optional. Clears the existing Outbound Route Filtering (ORF) prefix-list. Optional. Clears soft-reconfiguration inbound route updates on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. in prefix-filter on <DEVICE-NAME>

clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}

ip bgp

[<IP>|all|external]

Clears BGP routing table information based on the option selected

<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears route updates received from all BGP peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Optional. Clears soft-reconfiguration outbound route updates. Optionally specify the device on which to execute this command. The following keyword is recursive and optional. on <DEVICE-NAME> Optional. Clears BGP sessions on a specified device out on <DEVICE-NAME>

<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}

ip bgp

[<IP>|all|external]

Clears BGP routing table information based on the option selected

<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears route updates received from all BGP peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 20 PRIVILEGED EXEC MODE COMMANDS soft {in|out}

on <DEVICE-NAME>

Optional. Enables soft-reconfiguration of route updates for the specified IP address. This option allows routing tables to be reconfigured without clearing BGP sessions. in Optional. Enables soft reconfiguration of inbound route updates out Optional. Enables soft reconfiguration of outbound route updates Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears soft-reconfiguration inbound/outbound route updates on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp process {on <DEVICE-NAME>}

ip bgp process on <DEVICE-NAME>

Clears all BGP processes running This command is applicable only to the RFS4000, RFS6000, NX95XX, NX9600 platforms. Optional. Clears all BGP processes on a specified device

<DEVICE-NAME> Specify the name of the AP or service platform. clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}

ip dhcp bindings

<IP>

all on <DEVICE-NAME>

Clears a Dynamic Host Configuration Protocol (DHCP) servers IP address bindings entries Clears DHCP servers connections and address binding entries Clears specific address binding entries. Specify the IP address to clear binding entries. Clears all address binding entries Optional. Clears a specified address binding or all address bindings on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ip ospf process {on <DEVICE-NAME>}

ip ospf process on <DEVICE-NAME>

Clears already enabled open shortest path first (OSPF) process and restarts the process Optional. Clears OSPF process on a specified device OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet layer which makes routing decisions based solely on the destination IP address found in IP packets.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 21 PRIVILEGED EXEC MODE COMMANDS clear ipv6 neighbor-cache {on <DEVICE-NAME>}

clear ipv6 neighbor-cache on <DEVICE-NAME>

Clears IPv6 neighbor cache entries Optional. Clears IPv6 neighbor cache entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear lacp [<1-4> counters|counters]

clear lacp

[<1-4> counters|

counters]

Clears Link Aggregation Control Protocol (LACP) counters for a specified port-

channel group or all port-channel groups configured

<1-4> counters Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels. counters Clears LACP counters for all configured port-channels on the device clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>}

{(on <DEVICE-NAME>)}

l2tpv3-stats tunnel

<L2TPV3-TUNNEL-

NAME>

session

<SESSION-NAME>

on <DEVICE-NAME>

Clears L2TPv3 tunnel session statistics Clears all sessions associated with a specified L2TPv3 tunnel

<L2TPV3-TUNNEL-NAME> Specify the L2TPv3 tunnel name. Optional. Clears a specified L2TPv3 tunnel session, identified by the <SESSION-

NAME> keyword

<SESSION-NAME> Specify the session name. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Specifies the device running the L2TPv3 tunnel session

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If no optional parameters are specified, the system clears all L2TPv3 tunnel session statistics. clear license borrowed {on <DEVICE-NAME>}

license borrowed

{on <DEVICE-NAME>}

Releases or revokes all licenses borrowed by a site controller on <DEVICE-NAME> Optional. Specifies the borrowing controllers name.

<DEVICE-NAME> Specify the wireless controllers name. If no device name is specified, the system clears all borrowed licenses on the logged device. clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}

license lent to <DEVICE-NAME>

NOC controller releases or revokes all licenses loaned to a site controller Specifies the borrowing controllers name

<DEVICE-NAME> Specify the controller's name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 22 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>

Optional. Specifies the controllers name

<DEVICE-NAME> Specify the wireless controllers name. If no device name is specified, the system clears all loaned licenses on the logged device. clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}

mac-address-table address <MAC>

vlan <1-4094>

on <DEVICE-NAME>

Clears the MAC address forwarding table Optional. Clears a specified MAC address from the MAC address table.

<MAC> Specify the MAC address in one of the following formats: AA-BB-CC-DD-

EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFF Optional. Clears all MAC addresses for a specified VLAN

<1-4094> Specify the VLAN ID from 1 - 4094. Optional. Clears a single entry or all MAC entries for the specified VLAN in the MAC address forwarding table on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1

<1-4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}

mac-address-table interface

<IF-NAME>

ge <1-X>

port-channel <1-X>

up <1-X>

xge <1-4>

on <DEVICE-NAME>

Clears the MAC address forwarding table Clears all MAC addresses for the selected interface. Use the options available to specify the interface. Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)

<IF-NAME> Specify the layer 2 interface name. Clears MAC address forwarding table for the specified GigabitEthernet interface

<1-X> Specify the GigabitEthernet interface index from 1 - X. Clears MAC address forwarding table for the specified port-channel interface

<1-X> Specify the port-channel interface index from 1 - X. Clears MAC address forwarding table for the WAN Ethernet interface The number of WAN Ethernet interfaces supported varies for different devices. The RFS4000 and RFS6000 devices support 1 WAN Ethernet interface. Clears MAC address forwarding table for the specified TenGigabitEthernet interface

<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 23 PRIVILEGED EXEC MODE COMMANDS clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-

NAME>}

mac-address-table mac-auth-state address

<MAC> vlan <1-4904>

Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabled Access points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-

authenticate, and is provided access only on successful authentication.

<MAC> Specify the MAC address to clear. vlan <1-4904> Specify the VLAN interface from 1 - 4094. In the AP/controllers MAC address table, the specified MAC address is cleared on the specified VLAN in-

terface. on <DEVICE-NAME>

Optional. Clears the specified MAC address on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If a device is not specified, the system clears the MAC address from the MAC address table of all devices. clear mint mlcp history {on <DEVICE-NAME>}

mint mlcp history on <DEVICE-NAME>

Clears MiNT related information Clears MiNT Link Creation Protocol (MLCP) client history Optional. Clears MLCP client history on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform clear role ldap-stats {on <DEVICE-NAME>}

role ldap-stats on <DEVICE-NAME>

Clears role based Lightweight Directory Access Protocol (LDAP) server statistics Optional. Clears role based LDAP server statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|

on <DEVICE-OR-DOMAIN-NAME>}

rtls aeroscout ekahau

<MAC/DEVICE-NAME>

Clears Real Time Location Service (RTLS) statistics Clears RTLS Aeroscout statistics Clears RTLS Ekahau statistics This keyword is common to the aeroscout and ekahau parameters.

<MAC/DEVICE-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the APs MAC address or hostname. on <DEVICE-OR-

DOMAIN-NAME>

This keyword is common to the aeroscout and ekahau parameters. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 24 PRIVILEGED EXEC MODE COMMANDS clear spanning-tree detected-protocols {on <DEVICE-NAME>}

spanning-tree detected-protocols on <DEVICE-NAME>

Clears spanning tree protocols on an interface, and also restarts protocol migration Restarts protocol migration Optional. Clears spanning tree protocols on a specified device

<DEVICE-NAME> Optional. Specify the name of the AP, wireless controller, or service platform. clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|

me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}

spanning-tree detected-protocols interface

[<INTERFACE-NAME>|

ge <1-X>|me1|

port-channel <1-X>|

pppoe1|vlan <1-4094>|

wwan1|xge <1-4>]

on <DEVICE-NAME>

Clears spanning tree protocols on an interface and restarts protocol migration Restarts protocol migration Optional. Clears spanning tree entries on different interfaces

<INTERFACE-NAME> Clears detected spanning tree entries on a specified interface. Specify the interface name. ge <1-X> Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X me1 Clears FastEthernet interface spanning tree entries port-channel <1- X> Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X. The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels. pppoe1 Clears detected spanning tree entries for PPPoE interface. vlan <1-4094> Clears detected spanning tree entries for the selected VLAN interface. Select a SVI VLAN ID from 1 - 4094. wwan1 Clears detected spanning tree entries for wireless WAN interface xge <1-4> Clears detected spanning tree entries for TenGigabitEthernet interfaces. Specify the GigabitEthernet interface index from 1 - 4. Optional. Clears spanning tree protocol entries on a selected device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}

traffic-shape statistics class <1-4>

on <DEVICE-NAME>

Clears traffic shaping statistics Optional. Clears traffic shaping statistics for a specific traffic class

<1-4> Specify the traffic class from 1 - 4. Note: If the traffic class is not specified, the system clears all traffic shaping statistics. Optional. Clears traffic shaping statistics for the specified traffic class on a specified device

<DEVICE-NAME> Specify the name of the access point, wireless controller, or service platform. Note: For more information on configuring traffic-shape, see interface. clear vrrp [error-stats|stats] {on <DEVICE-NAME>}

vrrp Clears Virtual Router Redundancy Protocol (VRRP) statistics for a device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 25 PRIVILEGED EXEC MODE COMMANDS error-stats

{on <DEVICE-NAME>}

stats

{on <DEVICE-NAME>}

Clears global error statistics on <DEVICE-NAME> Optional. Clears VRRP global error statistics on a selected device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Clears VRRP related statistics on <DEVICE-NAME> Optional. Clears VRRP related statistics on a selected device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58#clear crypto ike sa all rfs4000-229D58#show crypto ike sa

--------------------------------------------------------------------------------

-------IDX PEER VERSION ENCR ALGO HASH ALGO DH GROUP IKE STATE

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------Total IKE SAs: 0 rfs4000-229D58#

rfs6000-81742D#clear spanning-tree detected-protocols interface port-channel 1 rfs6000-81742D#clear ip dhcp bindings 172.16.10.9 rfs6000-81742D#clear cdp neighbors rfs4000-229D58#clear spanning-tree detected-protocols interface ge 1 rfs4000-229D58#clear lldp neighbors rfs6000-81742D#show event-history EVENT HISTORY REPORT Generated on '2017-04-04 13:49:57 IST' by 'admin'

2017-04-04 13:37:31 rfs6000-81742D SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

2017-04-04 13:15:19 rfs6000-81742D SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.13.10'

2017-04-04 13:09:47 rfs6000-81742D LICMGR LIC_AP_AAP_DEPLETED Depleted AP/AAP license count: 1 2017-04-04 13:09:47 rfs6000-81742D LICMGR LIC_AP_AAP_DEPLETED Depleted AP/AAP license count: 1

--More--

rfs6000-81742D#

jrfs6000-81742D#clear event-history rfs6000-81742D#show event-history EVENT HISTORY REPORT Generated on '2017-04-04 13:51:27 IST' by 'admin'

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 26 PRIVILEGED EXEC MODE COMMANDS rfs6000-81742D#show mac-address-table

--------------------------------------------------------

BRIDGE VLAN PORT MAC STATE

--------------------------------------------------------

1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 3C-CE-73-F4-47-83 forward 1 1 up1 B4-C7-99-74-B4-5C forward

--------------------------------------------------------

Total number of MACs displayed: 15 rfs6000-81742D#

rfs6000-81742D>clear mac-address-table address 3C-CE-73-F4-47-83 on rfs6000-81742D rfs6000-81742D#show mac-address-table

--------------------------------------------------------

BRIDGE VLAN PORT MAC STATE

--------------------------------------------------------

1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 B4-C7-99-74-B4-5C forward

--------------------------------------------------------

Total number of MACs displayed: 14 rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 27 PRIVILEGED EXEC MODE COMMANDS 3.1.7 clock Privileged Exec Mode Commands Sets a devices system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a devices clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) Greenwich Time. To display time in the local time zone format, in the devices configuration mode, use the timezone command to reset the time zone. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

Parameters clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}

clock set

<HH:MM:SS>

Sets a devices system clock Sets the current time (in military format hours, minutes and seconds) Note: By default the WiNG software displays time in the 24-hour clock format. This setting cannot be changed.

<1-31>

Sets the numerical day of the month

<MONTH>

Sets the month of the year from Jan - Dec

<1993-2035>

Sets a valid four digit year from 1993 - 2035 on <DEVICE-NAME> Optional. Sets the clock on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service Example platform. The following commands set the time zone and clock for the logged device:

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angeles nx9500-6C8809#clock set 00:25:10 16 Jan 2017 nx9500-6C8809#show clock 2017-01-16 03:31:16 IST nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 28 PRIVILEGED EXEC MODE COMMANDS 3.1.8 cluster Privileged Exec Mode Commands Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Commands executed under this context are executed on all members of the cluster. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster start-election Parameters cluster start-election start-election Starts a new cluster master election Example rfs4000-880DA7#cluster start-election rfs4000-880DA7#

Related Commands create-cluster join-cluster Creates a new cluster on a specified device Adds a controller, as cluster member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 29 PRIVILEGED EXEC MODE COMMANDS 3.1.9 configure Privileged Exec Mode Commands Enters the configuration mode. Use this command to enter the current devices configuration mode, or enable configuration from the terminal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax configure {self|terminal}

Parameters configure {self|terminal}

self terminal Optional. Enables the current devices configuration mode Optional. Enables configuration from the terminal Example rfs6000-81742D#configure self Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config-device-00-15-70-81-74-2D)#

rfs6000-81742D#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 30 PRIVILEGED EXEC MODE COMMANDS 3.1.10 connect Privileged Exec Mode Commands Begins a console connection to a remote device using the remote devices MiNT ID or name Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Parameters mint-id <MINT-ID>

connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]

Connects to a remote system using the MiNT ID

<MINT-ID> Specify the remote devices MiNT ID. Connects to a remote system using its name

<REMOTE-DEVICE-NAME> Specify the remote devices name.

<REMOTE-DEVICE-

NAME>

Example nx9500-6C8809#show mint lsp-db 9 LSPs in LSP-db of 19.6C.88.09:

LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 8 adjacencies, seqnum 1294552 LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915721 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468227 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649241 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202818 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380337 LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494520 LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831529 nx9500-6C8809#

nx9500-6C8809#connect mint-id ?

MINT-ID MiNT ID of device to connect to nx9500-6C8809#connect mint-id 19.6D.B5.D4 Entering character mode Escape character is '^]'. RFS6000 release 5.9.0.0-012D rfs6000-81742D login: admin Password:

rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 31 PRIVILEGED EXEC MODE COMMANDS 3.1.11 copy Privileged Exec Mode Commands Copies a file (config,log,txt...etc) from any location to the access point, wireless controller, or service platform and vice-versa NOTE: Copying a new config file to an existing running-config file merges it with the existing running-config file on the wireless controller. Both the existing running-config and the new config file are applied as the current running-config. Copying a new config file to a start-up config file replaces the existing start-up config file with the parameters of the new file. It is better to erase the existing start-up config file and then copy the new config file to the startup config. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]

Parameters copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]

Specify the source file to copy.

<SOURCE-FILE>

<SOURCE-URL>

Specify the source files location (URL).

<DESTINATION-FILE> Specify the destination file to copy to.

<DESTINATION-URL>

Specify the destination files location (URL). Example Transferring file snmpd.log to remote TFTP server. rfs6000-81742D#copy flash:/log/snmpd.log tftp://10.233.89.183:/snmpd.log Accessing running-config file from remote TFTP server into switch running-config. rfs6000-81742D#copy tftp://10.233.89.183:/running-config running-config Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 32 PRIVILEGED EXEC MODE COMMANDS 3.1.12 cpe Privileged Exec Mode Commands Enables a WiNG controller to perform certain operations on Customer Premises Equipment (CPEs) through an adopted T5 controller A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line

(DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cpe [boot|reload|upgrade]

cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}

cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}

NOTE: These commands can also be executed on the T5 profile and device context. For more information, see T5 Profile Config Commands. Parameters cpe boot system cpe [<1-24>|all]

cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}

Changes the image used by a CPE to boot. When reloading, the CPE uses the specified image. Identifies the CPE(s) on which this change is implemented

<1-24> Reloads only those CPEs whose IDs have been specified. Specify the ID from

[primary|secondary]

on <T5-DEVICE-

NAME>

1 - 24. all Reloads all CPEs Select the next boot image primary Uses the primary image when reloading secondary Uses the secondary image when reloading Optional. Performs this operation on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 33 PRIVILEGED EXEC MODE COMMANDS cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}

cpe [reload|

upgrade

<IMAGE-LOCATION>]

Performs the following operations on CPEs reload Reloads the device upgrade <IMAGE-LOCATION> Upgrades the device

<IMAGE-LOCATION> Specify the location of the firmware image. Both IPv4 and IPv6 addresses are supported. Use one of the following options to provide the location:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file cpe [<1-24>|all]

on <T5-DEVICE-

NAME>

Note: After specifying the operation to perform, identify the device(s). Identifies the CPE(s) on which the operation is performed

<1-24> Configures the CPEs ID from 1 - 24 all Configures all CPEs Optional. Performs this operation on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. Example nx9500-6C8809#show t5 cpe boot on t5-ED7C6C

--------------------------------------------------------------------------------

--------------------

DEVICE PRIMARY VERSION SECONDARY VERSION NEXT BOOT UPGRADE STATUS UPGRADE PROGRESS %

--------------------------------------------------------------------------------

--------------------

cpe1 5.4.2.0-010R 5.4.2.0-006B primary none 0 cpe2 5.4.2.0-010R 5.4.2.0-006B primary none 0

--------------------------------------------------------------------------------

--------------------

nx9500-6C8809#

nx9500-6C8809#cpe boot system cpe 1 secondary on t5-ED7C6C Updated T5 CPE system boot partition nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 34 PRIVILEGED EXEC MODE COMMANDS 3.1.13 create-cluster Privileged Exec Mode Commands Creates a new device cluster, with the specified name, and assigns it an IP address and routing level A cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure. A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

Parameters create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}

create-cluster name

<CLUSTER-NAME>

Creates a cluster Configures the cluster name

<CLUSTER-NAME> Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. ip <IP>

level [1|2]

Specifies the devices IP address used for cluster creation

<IP> Specify the devices IP address in the A.B.C.D format. Optional. Configures the routing level for this cluster 1 Configures level 1 (local) routing 2 Configures level 2 (inter-site) routing Example rfs4000-229D58#create-cluster name TechPubs ip 192.168.13.8 level 2

... creating cluster

... committing the changes

... saving the changes Please Wait .

[OK]

rfs4000-229D58#

rfs4000-229D58#show cluster configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 35 PRIVILEGED EXEC MODE COMMANDS Cluster Configuration Information Name : TechPubsLAN Configured Mode : Active Master Priority : 128 Force configured state : Disabled Force configured state delay : 5 minutes Handle STP : Disabled Radius Counter DB Sync Time : 5 minutes rfs4000-229D58#

rfs4000-229D58#show context

!

! Configuration of RFS4000 version 5.9.1.0-012D

!

!

version 2.5

!

!

firewall-policy default no ip dos tcp-sequence-past-window alg sip

!

!

mint-policy global-default router packet priority 6

!

radio-qos-policy default

!

!

management-policy default telnet http server https server no ftp

--More--

rfs4000-229D58#

Related Commands cluster join-cluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Adds a wireless controller, access point, or service platform, as cluster member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 36 PRIVILEGED EXEC MODE COMMANDS 3.1.14 crypto Privileged Exec Mode Commands Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR). This command also enables trustpoint configuration. Trustpoints contain the CAs identity and configuration parameters. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [key|pki]

crypto key [export|generate|import|zeroize]

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL>

{background|on|passphrase}

crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>

{background|on|passphrase}

crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

crypto pki [authenticate|export|generate|import|zeroize]

crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on

<DEVICE-NAME>)}

crypto pki export [request|trustpoint]

crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME>

[autogen-subject-name|subject-name]

crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>

autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-

address <IP>) crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|

use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>

<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 37 PRIVILEGED EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-

address <IP>,on <DEVICE-NAME>)}

crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>

<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address

<IP>,on <DEVICE-NAME>)}

crypto pki import [certificate|crl|trustpoint]

crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background} {(on <DEVICE-NAME>}) crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

Parameters crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase

<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

key export rsa

<RSA-KEYPAIR-

NAME>

<EXPORT-TO-URL>

background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Exports an existing RSA Keypair to a specified destination

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported. After specifying the destination address (where the RSA keypair is exported), configure one of the following parameters: background or passphrase. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts RSA Keypair before exporting

<KEY-PASSPHRASE> Specify a passphrase to encrypt the RSA keypair. background Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to all of the above parameters:

on <DEVICE-NAME> Optional. Performs export operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}

key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 38 PRIVILEGED EXEC MODE COMMANDS generate rsa

<RSA-KEYPAIR-

NAME> [2048|4096]

Generates a new RSA Keypair

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name.

[2048|4096] Sets the size of the RSA key in bits. The options are 2048 bits and 4096 bits. The default size is 2048 bits. on <DEVICE-NAME>

After specifying the key size, optionally specify the device (access point or controller) to generate the key on. Optional. Generates the new RSA Keypair on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Imports a RSA Keypair from a specified source

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. import rsa

<RSA-KEYPAIR-

NAME>

<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

supported. After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts the RSA Keypair after importing

<KEY-PASSPHRASE> Specify the passphrase to decrypt the RSA keypair. background Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and common to the background and passphrase keywords:

on <DEVICE-NAME> Optional. Performs import operation on a specific device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}

key zeroize rsa

<RSA-KEYPAIR-

NAME>

force Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Deletes a specified RSA Keypair

<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Note: All device certificates associated with this key will also be deleted. Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 39 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>

The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Deletes all certificates associated with the RSA Keypair on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-

NAME>)}

pki authenticate

<TRUSTPOINT-NAME>

<URL>

background on <DEVICE-NAME>

Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates. Authenticates a trustpoint and imports the corresponding CA certificate

<TRUSTPOINT-NAME> Specify the trustpoint name. Specify CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CA certificate is imported from the specified location. Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the authentication on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs authentication on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>

autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-

address <IP>) pki export request

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates subject name from configuration parameters. The subject name

<EXPORT-TO-URL>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

identifies the certificate. Specify the CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CSR is exported to the specified location. Exports CSR to a specified e-mail address

<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified Fully Qualified Domain Name (FQDN)

<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system

<IP> Specify the CAs IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 40 PRIVILEGED EXEC MODE COMMANDS crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-

key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>

<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) pki export request

[generate-rsa-key|

short [generate-rsa-

key|use-rsa-key]|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

subject-name

<COMMON-NAME>

<COUNTRY>

<STATE>

<CITY>

<ORGANIZATION>

<ORGANIZATION-

UNIT>

<EXPORT-TO-URL>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for a digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication short [generate-rsa-key|use-rsa-key] Generates and exports a shorter version of the CSR generate-rsa-key Generates a new RSA Keypair for digital authentication. If gen-

erating a new RSA Keypair, specify a name for it. use-rsa-key Uses an existing RSA Keypair for digital authentication. If using an existing RSA Keypair, specify its name. use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate

<COMMON-NAME> Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length). Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Specify the CAs location. Both IPv4 and IPv6 address formats are supported. The CSR is exported to the specified location. Exports CSR to a specified e-mail address

<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified FQDN

<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system

<IP> Specify the CAs IP address. crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 41 PRIVILEGED EXEC MODE COMMANDS export trustpoint

<TRUSTPOINT-NAME>

<EXPORT-TO-URL>

background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Specify the destination address. Both IPv4 and IPv6 address formats are supported. The trustpoint is exported to the address specified here. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts the key with a passphrase before exporting

<KEY-PASSPHRASE> Specify the passphrase to encrypt the trustpoint. background Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to the background and passphrase keywords:

on <DEVICE-NAME> Optional. Performs export operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-

address <IP>,on <DEVICE-NAME>)}

pki generate self-signed

<TRUSTPOINT-NAME>

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a certificate and a trustpoint Generates a self-signed certificate and a trustpoint

<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates the subject name from the configuration parameters. The subject email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

on <DEVICE-NAME>

name helps to identify the certificate. Optional. Exports the self-signed certificate to a specified e-mail address

<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN

<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system

<IP> Specify the devices IP address. Optional. Exports the self-signed certificate on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 42 PRIVILEGED EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]

<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>

<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address

<IP>,on <DEVICE-NAME>)}

pki generate self-signed

<TRUSTPOINT-NAME>

[generate-rsa-key|

use-rsa-key]

<RSA-KEYPAIR-

NAME>

subject-name

<COMMON-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a self-signed certificate and a trustpoint

<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication

<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate

<COMMON-NAME> Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.

<COUNTRY>

<STATE>

<CITY>

<ORGANIZATION>

<ORGANIZATION-

UNIT>

email

<SEND-TO-EMAIL>

fqdn <FQDN>

ip-address <IP>

Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Optional. Exports the self-signed certificate to a specified e-mail address

<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN

<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system

<IP> Specify the devices IP address. crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background} {(on <DEVICE-NAME>)}

pki import

[certificate|crl]

<TRUSTPOINT-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device Imports a signed server certificate or CRL certificate Imports signed server certificate crl Imports CRL

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).

<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported. The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 43 PRIVILEGED EXEC MODE COMMANDS background on <DEVICE-NAME>

Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs import operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>

{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}

pki import trustpoint

<TRUSTPOINT-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, CRL, or a trustpoint to the selected device Imports a trustpoint and its associated CA certificate, server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).

<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are background passphrase

<KEY-PASSPHRASE>

background on <DEVICE-NAME>

supported. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Decrypts trustpoint with a passphrase after importing

<KEY-PASSPHRASE> Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on. background Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Performs import operation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}

pki zeroize trustpoint

<TRUSTPOINT-NAME>

del-key on <DEVICE-NAME>

Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Deletes a trustpoint and its associated CA certificate, server certificate, and private key

<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on. The following parameter is recursive and optional:

on <DEVICE-NAME> Optional. Deletes the trustpoint on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 44 PRIVILEGED EXEC MODE COMMANDS Usage Guidelines The system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file IPv6 URLs:

Example rfs6000-81742D#crypto key generate rsa key 1025 RSA Keypair successfully generated rfs6000-81742D#

rfs6000-81742D#crypto key import rsa test123 url passphrase word background RSA key import operation is started in background rfs6000-81742D#

rfs6000-81742D#crypto pki generate self-signed word generate-rsa-key word autogen-

subject-name fqdn word Successfully generated self-signed certificate rfs6000-81742D#

rfs6000-81742D#crypto pki zeroize trustpoint word del-key Successfully removed the trustpoint and associated certificates

%Warning: Applications associated with the trustpoint will start using default-

trustpoint rfs6000-81742D#

rfs6000-81742D#crypto pki authenticate word url background Import of CA certificate started in background rfs6000-81742D#

rfs6000-81742D#crypto pki import trustpoint word url passphrase word Import operation started in background rfs6000-81742D#

Related Commands no Removes server certificates, trustpoints and their associated certificates Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 45 PRIVILEGED EXEC MODE COMMANDS 3.1.15 crypto-cmp-cert-update Privileged Exec Mode Commands Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

Parameters crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}

crypto-cmp-cert-update

<TRUSTPOINT-NAME>

{on <DEVICE-NAME>}

Triggers a CMP certificate update on a specified device or devices

<TRUSTPOINT-NAME> Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-

cmp-policy context to configure the trustpoint. on <DEVICE-NAME> Optional. Triggers a CMP certificate update and response on a specified device or devices. Specify the name of the AP, wireless controller, or service platform. Multiple devices can be provided as a comma separated list.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58#crypto-cmp-cert-update test on B4-C7-99-71-17-28 CMP Cert update success rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 46 PRIVILEGED EXEC MODE COMMANDS 3.1.16 database Privileged Exec Mode Commands Enables automatic repairing (vacuuming) and dropping of databases (Captive-portal and NSight). Vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements. If enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Database access is provided only if the keyfile and the user credentials entered during database longin match. NOTE: For information on enabling database authentication, see Enabling Database Authentication. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [drop|keyfile|repair]

database drop [all|captive-portal|nsight]

database repair {on <DEVICE-NAME>}

database keyfile [export|generate|import|zerzoise]

database keyfile generate database keyfile [export|import] <URL>

database keyfile zerzoise Parameters database drop [all|captive-portal|nsight]

database drop

[all|captive-portal|

nsight]

Drops (deletes) all or a specified database. Execute the command on the database host. all Drops all databases, captive portal and NSight. captive-portal Drops captive-portal database only nsight Drops NSight database only database repair {on <DEVICE-NAME>}

database repair on <DEVICE-NAME>

Enables automatic repairing of all databases. Execute the command on the database host. on <DEVICE-NAME> Optional. Specifies the name of the access point, wireless controller, or service platform hosting the database. When specified, databases on the specified device are periodically checked through to identify and remove obsolete data documents.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. If no device is specified, the system repairs all databases. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 47 PRIVILEGED EXEC MODE COMMANDS database keyfile [generate|zerzoise]

database keyfile

[generate|zerzoise]

Enables management of database keyfiles. This command is part of a series of configurations that are required to enforce authentication on the database. Use this command to generate keyfiles associated with the database. After generating the keyfile, create the users having the database access. For information on creating database users, see service. generate Generates the keyfile. Execute the command on the primary database host. zerzoise Deletes a keyfile. database keyfile [export|import] <URL>

database keyfile

[export|import]

<URL>

Enables database keyfile management. This command is part of a series of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members. export Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the primary database host. import Imports the keyfile from a specified location. Execute the command on the replica set members. The following parameter is common to both of the above keywords:

<URL> Specify the location to/from where the keyfile is to be exported/imported. Use one of the following options:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file tftp://<hostname|IP>[:port]/path/file database keyfile zerzoise database keyfile zerzoise Enables the management of database keyfiles zerzoise Deletes an existing keyfile. Example nx9500-6C8809#database repair on nx9500-6C8809 nx9500-6C8809#

nx9500-6C8809#database keyfile generate Database keyfile successfully generated nx9500-6C8809#

nx9500-6C8809#database keyfile zeroize Database keyfile successfully removed nx9500-6C8809#

vx9000-1A1809#database keyfile generate Database keyfile successfully generated vx9000-1A1809#

vx9000-1A1809#database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported vx9000-1A1809#

vx9000-D031F2#database keyfile import ftp://1.1.1.111/db-key Database keyfile successfully imported vx9000-D031F2#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 48 PRIVILEGED EXEC MODE COMMANDS Related Commands database-backup database-restore Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 49 PRIVILEGED EXEC MODE COMMANDS 3.1.17 database-backup Privileged Exec Mode Commands Backs up captive-portal/NSight database to a specified location and file on an FTP or SFTP server Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntaxf database-backup database [captive-portal|nsight|nsight-placement-info] <URL>

database-backup database [captive-portal|nsight] <URL>

database-backup database nsight-placement-info <URL>

Parameters database-backup database [captive-portal|nsight] <URL>

database-backup database [captive-

portal|nsight]

<URL>

Backs up captive portal and/or NSight database to a specified location. Select the database to backup:

captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz database-backup database nsight-placement-info <URL>

database-backup database nsight-placement-

info <URL>

Backs up the NSight access point placement related details to a specified location

<URL> Specify the URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz Example NS-DB-nx9510-6C87EF#database-backup database nsight tftp://192.168.9.50/testbckup NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : In_Progress(Starting tftp transfer.) Last Database Backup Time : 2017-04-17 12:48:05 NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:08 T 2017 NS-DB-nx9510-6C87EF#Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-

OPERATION_COMPLETE: backup for database nsight successful NS-DB-nx9510-6C87EF#

NS-DB-nx9510-6C87EF#database-backup database nsight-placement-info tftp://192.16 8.9.50/plmentinfo NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:48 IST 2017 NS-DB-nx9510-6C87EF#Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-

OPERATION_COMPLETE: backup for database nsight-placement-info successful NS-DB-nx9510-6C87EF#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 50 PRIVILEGED EXEC MODE COMMANDS Related Commands database database-restore Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Restores a previously exported (backed up) database [captive-portal and/or NSight]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 51 PRIVILEGED EXEC MODE COMMANDS 3.1.18 database-restore Privileged Exec Mode Commands Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases

(backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-restore database [captive-portal|nsight] <URL>

Parameters database-restore database [captive-portal|nsight] <URL>

database-restore database

[captive-portal|

nsight]

<URL>

Example Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:

captive-portal Restores captive portal database nsight Restores NSight database After specifying the database type, configure the destination location and file name from where the files are restored. Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz nx9500-6C8809#database-restore database nsight ftp://anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands database database-backup Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 52 PRIVILEGED EXEC MODE COMMANDS 3.1.19 delete Privileged Exec Mode Commands Deletes a specified file from the devices file system Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax delete [/force <FILE>|/recursive <FILE>|<FILE>]

Parameters delete [/force <FILE>|/recursive <FILE>|<FILE>]

/force <FILE>

/recursive <FILE>

<FILE>

Forces deletion without a prompt Performs a recursive delete Specifies the file name Deletes the file specified by the <FILE> parameter Example rfs6000-81742D#delete flash:/out.tar flash:/out.tar.gz Delete flash:/out.tar [y/n]? y Delete flash:/out.tar.gz [y/n]? y rfs6000-81742D#delete /force flash:/tmp.txt rrfs6000-81742D#

rfs6000-81742D#delete /recursive flash:/backup/

Delete flash:/backup//fileMgmt_350_180B.core

[y/n]? y Delete flash:/backup//fileMgmt_350_18212X.core_bk

[y/n]? n Delete flash:/backup//imish_1087_18381X.core.gz

[y/n]? n rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 53 PRIVILEGED EXEC MODE COMMANDS 3.1.20 device-upgrade Privileged Exec Mode Commands Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms) NOTE: A NOC controllers capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:

NOC controller NX95XX (NX9500 and NX9510), NX9600 Site controller RFS4000, RFS6000, NX5500, NX75XX, or NX95XX Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|

ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|

ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-

image|rf-domain]

device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}}

device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|

upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|

ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|

ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|nx9600|vx9000|on rf-domain

[<RF-DOMAIN-NAME>|all]]

device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-

DOMAIN-NAME>}

device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location

<WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|no-reboot|

from-controller|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

Parameters device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>

{no-reboot|reboot-time <TIME>}}

<MAC/HOSTNAME>

Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword

<MAC/HOSTNAME> Specify the devices MAC address or hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 54 PRIVILEGED EXEC MODE COMMANDS no-reboot reboot-time <TIME>

upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade

(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-

reboot|reboot-time <TIME>}} {(staggered-reboot)}

all force no-reboot reboot-time <TIME>

upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

staggered-reboot Upgrades firmware on all devices Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade

(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time), without network impact device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time

<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}

device-upgrade

<DEVICE-TYPE> all Upgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After selecting the device type, schedule an automatic upgrade and/or an automatic reboot. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 55 PRIVILEGED EXEC MODE COMMANDS force no-reboot reboot-time <TIME>

Optional. Select this option to force upgrade on selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-

time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade

<TIME> Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

Optional. Schedules an automatic firmware upgrade on all devices of the specified type, on a specified day and time

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:

no-reboot Optional. Disables automatic reboot after a successful upgrade

(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time), without network impact device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|

ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|

ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|

on rf-domain [<RF-DOMAIN-NAME>|all]]

cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:

Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames. Cancels upgrade on all devices within the network Cancels upgrade on all devices of a specific type. Specify the device type. Cancels upgrade on specific device or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name. cancel-upgrade

[<MAC/HOSTNAME>|

all]

Cancels a scheduled firmware upgrade on a specified device or on all devices

<MAC/HOSTNAME> Cancels a scheduled upgrade on the device identified by the

<MAC/HOSTNAME> keyword. Specify the devices MAC address or hostname. cancel-upgrade

<DEVICE-TYPE> all cancel-upgrade on rf-domain

[<RF-DOMAIN-

NAME>|

all]

all Cancels scheduled upgrade on all devices Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains

<RF-DOMAIN-NAME> Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name. all Cancels scheduled device upgrade on all devices across all RF Domains Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 56 PRIVILEGED EXEC MODE COMMANDS device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-

DOMAIN-NAME>}

load-image

<DEVICE-TYPE>

Loads device firmware image from a specified location. Select the device type and provide the location of the required device firmware image.

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, provide the location of the required device firmware image.

<IMAGE-URL>

Specify the devices firmware image location in one of the following formats:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file on <DEVICE-OR-

DOMAIN-NAME>

Optional. Specifies the name of a device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-

controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}

rf-domain

[<RF-DOMAIN-

NAME>|all|

containing <WORD>|

filter location

<WORD>]

Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.

<RF-DOMAIN-NAME> Upgrades devices in the RF Domain identified by the <RF-

DOMAIN-NAME> keyword.

<RF-DOMAIN-NAME> Specify the RF Domain name. all Upgrades devices across all RF Domains containing <WORD> Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded. filter location <WORD> Filters devices by their location. All devices with location matching the <WORD> keyword are upgraded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 57 PRIVILEGED EXEC MODE COMMANDS

<DEVICE-TYPE>

<MAC/HOSTNAME>

force from-controller no-reboot

{staggered-reboot}

reboot-time <TIME>

{staggered-reboot}

staggered-reboot upgrade-time <TIME>

{no-reboot|

reboot-time <TIME>}

After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Optional. Use this option to identify specific devices for upgradation. Specify the devices MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded. Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options:

no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is common to all of the above. Optional. Enables staggered reboot (one at a time), without network impact Optional. Schedules an automatic firmware upgrade

<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. After a scheduled upgrade, the following actions can be performed:

no-reboot Optional. Disables automatic reboot after a successful upgrade

(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Example nx9500-6C8809#show device-upgrade history on TechPubs

--------------------------------------------------------------------------------

-----------------

Device RESULT TIME RETRIES UPGRADED-BY LAST-UPDATE-ERROR

--------------------------------------------------------------------------------

-----------------

rfs6000-81742D done 2017-07-20 14:16:49 0 nx9500-6C8809 -

rfs6000-81742D done 2017-07-06 15:19:23 0 nx9500-6C8809 -

rfs6000-81742D done 2017-07-06 15:15:37 0 nx9500-6C8809 -

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 58 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.16 8.13.17/RFS6000-LEAN-5.9.1.0-017D.img

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

nx9500-6C8809 Success Successfully initiated load image

--------------------------------------------------------------------------------

nx9500-6C8809#

nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is 50 percent complete nx9500-6C8809#

nx9500-6C8809#device-upgrade rfs6000-81742D

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

B4-C7-99-6C-88-09 Success Queued 1 devices to upgrade

--------------------------------------------------------------------------------

nx9500-6C8809#show device-upgrade status Number of devices currently being upgraded : 0 Number of devices waiting in queue to be upgraded : 1 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0

--------------------------------------------------------------------------------

-------------------------

DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY

--------------------------------------------------------------------------------

-------------------------

rfs6000-81742D waiting immediate immediate 0 0 -

nx9500-6C8809

--------------------------------------------------------------------------------

-------------------------

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 59 PRIVILEGED EXEC MODE COMMANDS 3.1.21 diff Privileged Exec Mode Commands Displays the differences between two files on a devices file system or a particular URL Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax diff [<FILE>|<URL>] [<FILE>|<URL>]

Parameters diff [<FILE>|<URL>] [<FILE>|<URL>]

<FILE>

<URL>

Example The first <FILE> is the source file for the diff command. The second <FILE> is used for comparison. The first <URL> is the source files URL. The second <URL> is the second files URL. nx9500-6C8809#diff startup-config running-config

--- startup-config

+++ running-config

@@ -1,12 +1,10 @@

+!### show running-config

!

! Configuration of NX9500 version 5.9.1.0-012D

!

!

version 2.5

!

-password-encryption-version 1.0

-inline-password-encryption

-password-encryption-key secret 2 776f9d6d5bb08fac753394d779cbc5a200000020a4ca26def55d4d77952308cd5e3afc66c06581bb 1e5af6d6b033fd664c363522

!

client-identity-group default load default-fingerprints

@@ -35,13 +33,13 @@

!

alias string $IN-Blr-EcoSpace-Floor-4 IBEF4

!

-alias encrypted-string $READ 2 LKSXiTieTV5hybKxfbd6JwAAAAZ/lakoqHh/ZfyHLJWzluTH

+alias encrypted-string $READ 2 1og6ZeMyEVJhybKxfbd6JwAAAAahnGq6RaJb70CEIbVpTYre

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 60 PRIVILEGED EXEC MODE COMMANDS 3.1.22 dir Privileged Exec Mode Commands Lists files on a devices file system Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dir {/all|/recursive|<DIR>|all-filesystems}

Parameters dir {/all|/recursive|<DIR>|all-filesystems}

/all

/recursive

<DIR>

all-filesystems Optional. Lists all files Optional. Lists files recursively Optional. Lists files in the named file path Optional. Lists files on all file systems Example nx9500-6C8809#dir flash:/

Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Tue Nov 29 09:48:42 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Feb 15 11:53:07 2017 log drwx Wed Feb 15 11:02:55 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans

-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot nx9500-6C8809#

nx9500-6C8809#dir all-filesystems Directory of flash:/

-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Tue Nov 29 09:48:42 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Feb 15 11:53:07 2017 log drwx Wed Feb 15 11:02:55 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans

-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot Directory of nvram:/

lrwx 29 Tue Oct 27 16:22:21 2015 sensor_default_scan

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 61 PRIVILEGED EXEC MODE COMMANDS 3.1.23 disable Privileged Exec Mode Commands Turns off (disables) the privileged mode command set. This command returns to the User Executable mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable Parameters None Example rfs6000-81742D#disable rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 62 PRIVILEGED EXEC MODE COMMANDS 3.1.24 edit Privileged Exec Mode Commands Edits a text file on the devices file system Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax edit <FILE>

Parameters edit <FILE>

<FILE>

Example Specify the name of the file to modify. rfs4000-880DA7#edit startup-config GNU nano 1.2.4 File: startup-config

!

! Configuration of RFS4000 version 5.9.1.0-015D

!

!

version 2.5

!

password-encryption-version 1.0 inline-password-encryption no password-encryption-key

!

client-identity-group default load default-fingerprints

!

ip snmp-access-list default permit any

!

firewall-policy default no ip dos tcp-sequence-past-window

!

[ Read 400 lines ]

^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos

^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Txt ^T To Spell Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 63 PRIVILEGED EXEC MODE COMMANDS 3.1.25 enable Privileged Exec Mode Commands Turns on (enables) the privileged mode command set. This command does not do anything in the Privilege Executable mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-81742D#enable rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 64 PRIVILEGED EXEC MODE COMMANDS 3.1.26 erase Privileged Exec Mode Commands Erases a devices (wireless controller, access point, and service platform) file system. Erases the content of the specified storage device. Also erases the startup configuration to restore the device to its default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax erase [flash:|nvram:|startup-config|usb1:|usb2:|usb3:|usb4:]

erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]

erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|

exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}

Parameters erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]

flash:

nvram:

startup-config usb1:

usb2:

usb3:

usb4:

Erases everything in the devices flash: file Erases everything in the devices nvram: file Erases the devices startup configuration file. The startup configuration file is used to configure the device when it reboots. Erases everything in the device's usb1: file Erases everything in the device's usb2: file Erases everything in the device's usb3: file Erases everything in the device's usb4: file erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|

exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}

startup-config:

Erases the startup configuration file on a specified device or devices in a specified RF Domain. The specified device(s) are reloaded after the startup configuration file is erased. Use the <HOSTNAME/MAC> or on <DOMAIN-NAME> options to identify the device or RF Domain respectively. Once executed, the configuration file, for the targeted device or for all device(s) in the targeted RF Domain, is also erased from the adopting controllers configuration file. The are automatically reloaded once the startup configuration file has been erased.

<HOSTNAME/MAC> Optional. Erases the startup configuration file on the device identified by the

<HOSTNAME/MAC> keyword. Specify the devices hostname or MAC address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 65 on

<DOMAIN-NAME>

{containing <SUB-

STRING>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-

TYPE>}

PRIVILEGED EXEC MODE COMMANDS Optional. Erases the startup configuration file on all devices or specified device(s) in a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:

containing <SUB-STRING> Optional. Executes the command on all devices con-

taining a specified sub-string in their hostname

<SUB-STRING> Specify the sub-string to match. The startup configuration file is erased on all devices whose hostname contains the sub-string specified here. exclude-controllers Optional. Executes the command on all devices excluding controllers. The startup configuration file is erased on all devices except controllers. exclude-rf-domain-manager Optional. Executes the command on all devices ex-

cluding RF Domain managers. The startup configuration file is erased on all devices ex-

cept RF Domain managers. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a speci-

fied type

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8532, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-

figuration file is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the startup configuration file on all AP6521s, within the RF Domain, is erased. Example nx9500-6C8809#erase ?

cf: Erase everything in cf:

flash: Erase everything in flash:

nvram: Erase everything in nvram:

startup-config Reset configuration to factory default usb1: Erase everything in usb1:

usb2: Erase everything in usb2:

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 66 PRIVILEGED EXEC MODE COMMANDS 3.1.27 ex3500 Privileged Exec Mode Commands Enables EX3500 switch firmware management. Use this command to perform the following operations:

boot, copy, delete, and IP-related configurations. The copy keyword provides multiple copy options. It allows you to upload or download code images or configuration files between the switchs flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/

TFTP server and the quality of the network connection. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600 Syntax ex3500 [adoptd|boot|copy|delete|ip]

ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>

ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [file|ftp|running-config|startup-config|tftp|unit]

ex3500 copy [file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] [add-to-running-config|file|https-certificate|public-key|

running-config|startup-config]

ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME>

<PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]

<SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME>

<PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD>

on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>

[1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-

NAME> <PASSWORD> <SOURCE-CONFIG-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy running-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>

<PASSWORD> <DEST-FILE-NAME>|startup-config|tftp <TFTP-SERVER-IP> <DEST-FILE-

NAME>] on <EX3500-DEVICE-NAME>

ex3500 copy startup-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>

<PASSWORD> <DEST-FILE-NAME>|running-config|tftp <TFTP-SERVER-IP> <DEST-FILE-

NAME>] on <EX3500-DEVICE-NAME>

ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-

DEVICE-NAME>

ex3500 delete [file|public-key]

ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-

DEVICE-NAME>

ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 67 PRIVILEGED EXEC MODE COMMANDS ex3500 ip ssh [crypto|save]

ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 ip ssh crypto zeroize [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>

Parameters ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>

ex3500 adoptd upgrade

<URL>

on <EX3500-DEVICE-

NAME>

Upgrades an adopted EX3500 switch Note: After an upgrade, reboot the EX3500 switch to initiate the new image. To view an EX3500s current image version, use the show > version > on <EX3500-DEVICE-NAME>

command. Specifies the location and image file name in the following format:

tftp://<IP>[/path]/file Executes the command on a specified EX3500 switch

<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 boot system Boots a EX3500 switch using a specified configuration file

<1-1>

Identifies the EX3500 unit by its ID number. Specify the EX3500 ID from 1 - 1. Note: As of now only one (1) EX3500 unit can be managed through a NOC controller. The following keywords are recursive:

Specifies the image file to use for booting. The options are:

config Uses the configuration file to boot the switch opcode Uses the Operation Code (opcode), which is the runtime code, to boot the

(config|opcode)

<FILE-NAME>

switch. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device. The following parameter is common to the config and opcode keywords:

<FILE-NAME> Specify the configuration/runtime-code file name. on <EX3500-DEVICE-

NAME>

Reloads a specified EX3500 switch

<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. You can also specify its MAC address. ex3500 copy file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-

NAME>

ex3500 copy Copies a configuration file to another file Copies a specified file (this is the source configuration file) file Copies the specified source file to a specified file (this is the destination file file <SOURCE-FILE-

NAME> <DEST-FILE-

NAME>

configuration file)

<SOURCE-FILE-NAME> Specify the source configuration files name

<DEST-FILE-NAME> Specify the destination configuration files name. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 68 PRIVILEGED EXEC MODE COMMANDS When specifying the destination file name, keep in mind the following points:

- It should not contain slashes (\ or /),

- It should not exceed 32 characters for files on the switch, or 127 characters for files on the server. Copies the file to a specified EX3500 switch

<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. The specified source file is copied to specified destination file on the EX3500 identified here. on <EX3500-DEVICE-

NAME>

ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME>

<PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. This command also allows you to add a remote systems running configuration to the current system configuration. add-to-running-config Adds a remote systems running configuration to the current system

<FTP/TFTP-SERVER-

IP> <USER-NAME>

<PASSWORD>

Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.

<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.

<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)

<PASSWORD> Specify the password applicable for the above specified FTP server user name.

<SOURCE-FILE-

NAME>

on <EX3500-DEVICE-

NAME>

After specifying the server details, specify the name of the running configuration file.

<SOURCE-FILE-NAME> Specify the source files name. Copies the file to a specified EX3500 switch

<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. The specified source file is copied to specified destination file on the EX3500 identified here. ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]

<SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the file

<FTP/TFTP-SERVER-

IP> <USER-NAME>

<PASS-WORD>

following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies to a specified file system Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.

<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.

<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)

<PASSWORD> Specify the password applicable for the above specified FTP server user name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 69 PRIVILEGED EXEC MODE COMMANDS

[1|2]

<SOURCE-FILE-

NAME>

<DEST-FILE-NAME>

After specifying the server details, select the file type and specify the name of the source and destination file names.

[1|2] Select the file type from 1 - 2. 1 Copies the EX3500 configuration file. 2 Copies the opcode, which is the runtime code. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device.

<SOURCE-FILE-NAME> Specify the source files name.

<DEST-FILE-NAME> Specify the destination files name. on <EX3500-DEVICE-

NAME>

Copies the file to a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. The specified source file is copied to specified destination file on the EX3500 identified here. ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME>

<PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on

<EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the https-certificate

<FTP/TFTP-SERVER-

IP> <USER-NAME>

<PASSWORD>

following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies HTTPS secure site certificate from the FTP or TFTP server to the switch Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.

<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.

<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)

<PASSWORD> Specify the password applicable for the above specified FTP server user name.

<SOURCE-CERT-FILE-

NAME>

<SOURCE-PVT-KEY-

FILE-NAME>

<PVT-PASS-WORD>

After identifying the FTP or TFTP server, specify the following:

<SOURCE-CERT-FILE-NAME> Specify the source HTTPS secure site certificate file name.

<SOURCE-PVT-KEY-FILE-NAME> Specify the source private-key file name.

<PVT-PASS-WORD> Specify the private password. on <EX3500-DEVICE-

NAME>

Copies the file to a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>

[1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the public-key following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies the SSH public key from the FTP or TFTP server to the switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 70 PRIVILEGED EXEC MODE COMMANDS

<FTP/TFTP-SERVER-

IP> <USER-NAME>

<PASSWORD>

Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.

<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.

<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)

<PASSWORD> Specify the password applicable for the above specified FTP server user name.

[1|2]

<SOURCE-PUB-KEY-

FILE-NAME> <USER-

NAME>

After identifying the FTP or TFTP server, specify the following:

[1|2] Configures the SSH public key type as RS or DSA 1 Configures the public key type as RSA 2 Configures the public key type as DSA

<SOURCE-PUB-KEY-FILE-NAME> Specifies the source public key file name

<USER-NAME> Specifies the public keys user name. on <EX3500-DEVICE-

NAME>

Copies the public key to a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP>

<USER-NAME> <PASSWORD> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>

ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the

[running-config|

startup-config]

<FTP/TFTP-SERVER-

IP> <USER-NAME>

<PASSWORD>

<DEST-FILE-NAME>

following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies the running or startup configuration file to one of the following destinations:

file system, FTP server, or TFTP server The running configuration file can be copied to the startup configuration file and vice versa. If copying to a FTP/TFTP server, configure the following parameters:

<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.

<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)

<PASSWORD> Specify the password applicable for the above specified FTP server user name. Configures the destination file name. The running or startup configuration file is copied to the specified destination file.

<DEST-FILE-NAME> Specify the destination file name. You can also copy the running configuration file to the startup configuration file and vice versa. on <EX3500-DEVICE-

NAME>

Copies the running or startup configuration file on to a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME>

on <EX3500-DEVICE-NAME>

ex3500 copy unit Copies from a EX3500 switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 71 PRIVILEGED EXEC MODE COMMANDS file <1-1> [1|2]

<SOURCE-FILE-

NAME>

<DEST-FILE-NAME>

Copies the file system from the EX3500 switch identified by the unit number

<1-1> Specify the unit number from 1 - 1.

[1|2] Select the file type from 1 - 2. 1 Copies the selected units configuration file. 2 Copies the selected units opcode, which is the runtime code. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device. Configures the source file name

<SOURCE-FILE-NAME> Specify the source file name. You can copy the running configuration file to the startup configuration file and vice versa. Configures the destination file name. The running or startup configuration file is copied to the specified file.

<DEST-FILE-NAME> Specify the destination file name. You can copy the running configuration file to the startup configuration file and vice versa. on <EX3500-DEVICE-

NAME>

Copies the running or startup configuration file on to a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>]

on <EX3500-DEVICE-NAME>

ex3500 delete file name <FILE-NAME>

unit <1-1>

name <FILE-NAME>

Deletes a file or image on a specified EX3500 device Specifies the file to delete. The specified file is deleted.

<FILE-NAME> Specify the file name. Identifies the unit in the stackable system on which the file is located

<1-1> Select the unit from 1 - 1. name After identifying the unit, specify the file to delete. The specified file is deleted.

<FILE-NAME> Specify the file name. on <EX3500-DEVICE-

NAME>

Executes the command on a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 delete public-key

<USER-NAME>

[dsa|rsa]

Deletes a specified users public key

<USER-NAME> Specify the SSH users name. dsa Deletes the specified users DSA (version 2) key rsa Deletes the specified users RSA (version 1) key on <EX3500-DEVICE-

NAME>

Executes the command on a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 72 PRIVILEGED EXEC MODE COMMANDS ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>

ex3500 ip ssh crypto host-key generates

[dsa|rsa]

on <EX3500-DEVICE-

NAME>

Generates the host-key pair (public and private). This host key is used by the SSH server to negotiate a session key and encryption method with the client trying to connect to it. dsa Generates DSA (version 2) key type rsa Generates RSA (version 1) key type Note: The RSA Version 1 is used only for SSHv1.5 clients, whereas DSA Version 2 is used only for SSHv2 clients. Note: This generated host-key pair is stored in the volatile memory (i.e RAM). To save the host-key pair in the flash memory, use the ex3500 > ip > ssh > save > host-key command. Executes the command on a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 ip ssh zeroize [dsa|rsa] <EX3500-DEVICE-NAME>

ex3500 ip ssh zeroize

[dsa|rsa]

on <EX3500-DEVICE-

NAME>

Removes the host-key (DSA and RSA) from the volatile memory (i.e. RAM) Executes the command on a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>

ex3500 ip ssh save host-key on <EX3500-DEVICE-

NAME>

Usage Guidelines Saves the host-key (DSA and RSA) to the flash memory Executes the command on a specified EX3500 device

<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. When using the ex3500 command and its parameters, keep in mind the following:

Destination file names should not:

- Contain slashes (\ or /),

- Exceed 32 characters for files on the switch, or 127 characters for files on the server The FTP servers default user name is set as anonymous. The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. Follow instructions provided in the release notes for new firmware, or contact your distributor for help. The Factory_Default_Config.cfg can be used as the source to copy from, but cannot be used as the destination. Although the switch supports only two operation code files, the maximum number of user-defined configuration files supported is 16. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 73 PRIVILEGED EXEC MODE COMMANDS Example nx9500-6C8809#ex3500 adopted upgrade tftp://192.168.0.99/ex3500-adopted-

5.8.5.0.img on ex3524-ED5EAC Flash programming started Flash programming completed Successful nx9500-6C8809#

nx9500-6C8809#ex3500 copy tftp file 10.2.0.100 1 m360.bix m360.bix on ex3524-ED5EAC

\Write to FLASH Programming.

-Write to FLASH finish. Success. nx9500-6C8809#

nx9500-6C8809#ex3500 copy tftp startup-config 10.2.0.99 startup.01 startup on ex3524-ED5EAC TFTP server ip address: 10.1.0.99 Flash programming started. Flash programming completed. Success. nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 74 PRIVILEGED EXEC MODE COMMANDS 3.1.28 factory-reset Privileged Exec Mode Commands Erases startup configuration on a specified device or all devices within a specified RF Domain Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax factory-reset [<HOSTNAME/MAC>|config-all|config-device-only|on <RF-DOMAIN-NAME>]

factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}

factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|

exclude-rf-domain-manager|filter <DEVICE-TYPE>}

factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|

on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-

domain-manager|filter <DEVICE-TYPE>}]

Parameters factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}

factory-reset

<HOSTNAME/MAC>

{<HOSTNAME/

MAC>}

Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads the device identified by the <HOSTNAME/

MAC> keyword. Specify the devices hostname or MAC address.

<HOSTNAME/MAC> Optional. You can optionally specify multiple space-separated devices. factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-

controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

factory-reset on <RF-DOMAIN-

NAME>

{containing

<SUB-STRING>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-

TYPE>]}

Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain identified by the <RF-DOMAIN-NAME> keyword

<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:

containing <SUB-STRING> Optional. Executes the command on all devices con-

taining a specified sub-string in their hostname

<SUB-STRING> Specify the sub-string to match. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 75 PRIVILEGED EXEC MODE COMMANDS exclude-controllers Optional. Executes the command on all devices excluding controllers. Since only a NOC controller is capable of adopting other controllers, use this option when executing the command on a NOC controller. exclude-rf-domain-manager Optional. Executes the command on all devices ex-

cluding RF Domain managers. Use this option when executing the command on the NOC, site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a speci-

fied type

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-

figuration is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the command is executed on all AP6521s within the specified RF Domain. factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/

MAC>}|on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-

rf-domain-manager|filter <DEVICE-TYPE>}]

factory-reset

[config-all|

config-device-only]

Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads only controller-adopted devices or the controller as well as its adopted devices config-all Erases startup configuration on the controller and all devices adopted by it config-device-only Erases startup configuration only on the devices adopted by the controller

<HOSTNAME/MAC>

{<HOSTNAME/

MAC>}

This parameter is common to the config-all and config-device-only keywords:

<HOSTNAME/MAC> Erases startup configuration and reloads the device identified by the <HOSTNAME/MAC> keyword. Specify the devices hostname or MAC address.

<HOSTNAME/MAC> Optional. You can optionally specify multiple space-separated devices. The following parameters are common to the config-all and config-device-only keywords:

on <RF-DOMAIN-NAME> Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain

<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Do-

main, optionally use the filters provided to identify specific device(s) within the RF Do-

main. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:

containing <SUB-STRING> Optional. Executes the command on all devices con-

taining a specified sub-string in their hostname

<SUB-STRING> Specify the sub-string to match. exclude-controllers Optional. Executes the command on all devices excluding controllers. Since only a NOC controller is capable of adopting other controllers, use this option when executing the command on a NOC controller. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 76 PRIVILEGED EXEC MODE COMMANDS on <RF-DOMAIN-

NAME>

{containing

<SUB-STRING>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-

TYPE>]}

exclude-rf-domain-manager Optional. Executes the command on all devices excluding RF Domain managers. Use this option when executing the command on the NOC, Site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a spec-

ified type

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup configuration is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the command is executed on all AP6521s within the specified RF Domain. Usage Guidelines Actions performed by the factory-reset command. The action taken by this command depends on the parameters passed. For the factory-reset [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:

- Erases startup configuration on the target device (or) all devices in the target RF Domain.

- Erases the device configuration entries from the controllers configuration for the target device (or) for all the devices in the target RF Domain.

- Reloads the target device (or) all devices in the target RF Domain. For the factory-reset config-all [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:

- Erases startup configuration on the target device (or) all devices in the target RF Domain.

- Erases the device configuration entries from the controllers configuration for the target device (or) for all the devices in the target RF Domain. For the factory-reset config-device-only [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:

- Erases startup configuration on the target device (or) all devices in the target RF Domain. Example nx7500-7F3609#factory-reset config-all ap6522-5A873C In progress .... Erased startup-config - success 1 fail 0 Successful device deletion - total 1 nx7500-7F3609#

rfs6000-18072B# factory-reset B4-C7-99-5A-87-3C In progress .... Erased startup-config and initiated reload - success 1 fail 0 Successful device deletion - total 1 rfs6000-18072B#

The following example displays the access points in the RF Domain rfd1:

nx7500-7F3609#show wireless ap on rfd1

--------------------------------------------------------------------------------

-------

MODE : radio modes - W = WLAN, S=Sensor, ' ' (Space) = radio not present

--------------------------------------------------------------------------------

-------

--------------------------------------------------------------------------------

-------

AP-NAME AP-LOCATION RF-DOMAIN AP-MAC #RADIOS MODE #CLIENT IPv4 IPv6

--------------------------------------------------------------------------------

-------

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 77 PRIVILEGED EXEC MODE COMMANDS ap7131-1180FC rfd1 00-23-68-11-80-FC 2 W-W 0 0.0.0.0

::ap6522-551648 rfd1 B4-C7-99-55-16-48 2 W-W 0 0.0.0.0

::ap8232-7F0DF8 rfd1 FC-0A-81-7F-0D-F8 2 W-W 0 0.0.0.0 ::

--------------------------------------------------------------------------------

-------

Total number of APs displayed: 3 nx7500-7F3609#

Note, the factory-reset command executed on an RF Domain with the exclude-rf-domain-manager option erases the startup configuration on all devices other than the RF Domain manager. nx7500-7F3609#factory-reset config-device-only on rfd1 exclude-rf-domain-manager In progress .... Erased startup-config -

ap7131-1180FC: OK ap6522-551648: OK nx7500-7F3609#

nx7500-7F3609# factory-reset on rfd2 In progress .... Erased startup-config and initiated reload -

ap650-A6566C: OK,Reload scheduled in 60 seconds... ap4532-34505C: OK,Reload scheduled in 60 seconds... ap650-345000: OK,Reload scheduled in 60 seconds... Successful device deletion - total 3 nx7500-7F3609#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 78 PRIVILEGED EXEC MODE COMMANDS 3.1.29 file-sync Privileged Exec Mode Commands Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:

The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication. Execute the command on the controller adopting the access points. Ensure that the X.509 certificate file is installed on the controller. Syncing of trustpoint/wireless-bridge certificate can to be automated. To automate file syncing, in the controllers device/profile configuration mode, execute the following command: file-sync [auto|count <1-

20>]. For more information, see file-sync. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax file-sync [cancel|load-file|trustpoint|wireless-bridge]

file-sync cancel [trustpoint|wireless-bridge]

file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain

[<DOMAIN-NAME>|all]]

file-sync load-file [trustpoint|wireless-bridge]]

file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>

file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|

rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}

Parameters file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain

[<DOMAIN-NAME>|all]]

file-sync cancel

[trustpoint|

wireless-bridge]

[<DEVICE-NAME>|

all|rf-domain

[<DOMAIN-NAME>|

all]]

Cancels scheduled file synchronization trustpoint Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain wireless-bridge Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain

<DEVICE-NAME> Cancels scheduled trustpoint/certificate synchronization on a specified AP. Specify the APs hostname or MAC address. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 79 PRIVILEGED EXEC MODE COMMANDS all Cancels scheduled trustpoint/certificate synchronization on all APs rf-domain [<DOMAIN-NAME>|all] Cancels scheduled trustpoint/certificate syn-

chronization on all APs in a specified RF Domain or in all RF Domains

<DOMAIN-NAME> Cancels scheduled trustpoint/certificate synchronization on all APs within a specified RF Domain. Specify the RF Domains name. all Cancels scheduled trustpoint/certificate synchronization on all RF Domains file-sync load-file [trustpoint|wireless-bridge] <URL>

file-sync load-file

[trustpoint|

wireless-bridge]

<URL>

Loads the following files on to the staging controller:

trustpoint Loads the trustpoint, including CA certificate, server certificate and private key wireless-bridge Loads the wireless-bridge certificate to the staging controller Use this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.

<URL> Provide the trustpoint/certificate location using one of the following for-

mats:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Note: Both IPv4 and IPv6 address types are supported. file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|

all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time

<TIME>}

file-sync trustpoint

<TRUSTPOINT-

NAME>

[<DEVICE-NAME>|

all|rf-domain

[<DOMAIN-NAME>

|all] from-controller]

Configures file-syncing parameters trustpoint <TRUSTPOINT-NAME> Syncs a specified trustpoint between controller and its adopted APs

<TRUSTPOINT-NAME> Specify the trustpoint name. wireless-bridge Syncs wireless-bridge certificate between controller and its adopted APs After specifying the file that is to be synced, configure following file-sync parameters:

<DEVICE-NAME> Syncs trustpoint/certificate with a specified AP. Specify the APs hostname or MAC address. all Syncs trustpoint/certificate with all APs rf-domain [<DOMAIN-NAME>|all] from-controller Syncs trustpoint/certificate with all APs in a specified RF Domain or in all RF Domains

<DOMAIN-NAME> Select to sync with APs within a specified RF Domain. Specify the RF Domains name. all Select to sync with APs across all RF Domains from-controller Optional. Loads certificate to the APs from the adopting controller and not the RF Domain manager After specifying the access points, specify the following options: reset-radio and upload-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 80 PRIVILEGED EXEC MODE COMMANDS reset-radio This keyword is recursive and applicable to all of the above parameters. Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the bridge EAP username and bridge EAP password. upload-time <TIME> This keyword is recursive and applicable to all of the above parameters. upload-time Optional. Schedules certificate upload at a specified time

<TIME> Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no time is configured, the process is initiated as soon as the command is executed. Example rfs6000-81742D#file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-

12:30

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

B4-C7-99-6D-CD-4B Success Queued 1 APs to upload

--------------------------------------------------------------------------------

rfs6000-81742D#

The following command uploads certificate to all access points:

rfs6000-81742D#file-sync wireless-bridge all upload-time 06/01/2017-23:42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 81 PRIVILEGED EXEC MODE COMMANDS 3.1.30 halt Privileged Exec Mode Commands Stops (halts) a device (access point, wireless controller, or service platform). Once halted, the system must be restarted manually. This command stops the device immediately. No indications or notifications are provided while the device shuts down. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax halt {force} {(on <DEVICE-NAME>)}

Parameters halt {force} {(on <DEVICE-NAME>)}

halt force on <DEVICE-NAME>

Halts a device Optional. Forces a device to halt ignoring in-progress operations, such as firmware upgrades, downloads, unsaved configuration changes, etc. The following keywords are recursive and applicable to the force parameter:

on <DEVICE-NAME> Optional. Specifies the name of the device to be halted

<DEVICE-NAME> Enter the name of the AP, wireless controller, or service plat-

form. If the device name is not specified, the logged device is halted. Example nx9500-6C8809#halt on rfs6000-81742D nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 82 PRIVILEGED EXEC MODE COMMANDS 3.1.31 join-cluster Privileged Exec Mode Commands Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax join-cluster <IP> user <USERNAME> password <WORD> {level|mode}

join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode

[active|standby]}

Parameters join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode

[active|standby]}

join-cluster

<IP>

user <USERNAME>

password <WORD>

level [1|2]

Adds a access point, wireless controller, or service platform to an existing cluster Specify the cluster members IP address. Specify a user account with super user privileges on the new cluster member. Specify password for the account specified in the user parameter. Optional. Configures the routing level 1 Configures level 1 routing 2 Configures level 2 routing mode [active|standby] Optional. Configures the cluster mode active Configures cluster mode as active standby Configures cluster mode as standby Usage Guidelines To add a device to an existing cluster:

configure a static IP address on the device (access point, wireless controller, or service platform). provide username and password for superuser, network admin, system admin, or operator accounts. After adding the device to a cluster, execute the write memory command to ensure the configuration persists across reboots. Example rfs6000-81742D#join-cluster 192.168.13.16 user admin password superuser level 1 mode standby

... connecting to 192.168.13.16

... applying cluster configuration

... committing the changes

... saving the changes

[OK]

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 83 PRIVILEGED EXEC MODE COMMANDS rfs6000-81742D#show context

!

! Configuration of RFS6000 version 5.9.1.0-012D

!

!

version 2.5

!

!

................................................................................ interface ge1 switchport mode access switchport access vlan 1 interface vlan1 ip address 192.168.13.16/24 ip dhcp client request options all no ipv6 enable no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.16 level 1 logging on logging console warnings logging buffered warnings

!

!

end rfs6000-81742D#

Related Commands cluster create-cluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Creates a new cluster on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 84 PRIVILEGED EXEC MODE COMMANDS 3.1.32 l2tpv3 Privileged Exec Mode Commands Establishes or brings down an L2TPv3 tunnel Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 tunnel [<TUNNEL-NAME>|all]

l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]

l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

Parameters l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel

<TUNNEL-NAME>

[down|up]

Establishes or brings down an L2TPv3 tunnel

<TUNNEL-NAME> Specify the tunnel name. down Brings down the specified tunnel up Establishes the specified tunnel on <DEVICE-NAME>

Optional. Establishes or brings down a tunnel on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}

l2tpv3 tunnel

<TUNNEL-NAME>

session

<SESSION-NAME>

[down|up]

Establishes or brings down an L2TPv3 tunnel

<TUNNEL-NAME> Specify the tunnel name. Establishes or brings down a session in the specified tunnel

<SESSION-NAME> Specify the session name. down Brings down the specified tunnel session up Establishes the specified tunnel session on <DEVICE-NAME>

Optional. Establishes or brings down a tunnel session on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel all [down|up]

l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}

Establishes or brings down a L2TPv3 tunnel Establishes or brings down all L2TPv3 tunnels down Brings down all tunnels up Establishes all tunnels Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 85 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>

Optional. Establishes or brings down all tunnels on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742D NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 86 PRIVILEGED EXEC MODE COMMANDS 3.1.33 logging Privileged Exec Mode Commands Modifies message logging settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|

informational|warnings|notifications}

Parameters logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings}

monitor Sets terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system configures default settings, if no logging severity level is specified.

<0-7> Optional. Enter the logging severity level from 0 - 7. The various levels and their implications are:

alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4) Note: Ensure that the logging module is enabled, before configuring the message logging level. To enable message logging, in the devices configuration mode, execute the logging > on command. Message logging can also be enabled on a profile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 87 PRIVILEGED EXEC MODE COMMANDS Example rfs6000-81742D(config-device-00-15-70-81-74-2D)#logging on rfs6000-81742D#logging monitor debugging rfs6000-81742D#show logging Logging module: enabled Aggregation time: disabled Console logging: level warnings Monitor logging: disabled Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (70096 bytes):

Apr 04 12:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM Apr 04 12:33:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM

--More--

rfs6000-81742D#

Related Commands no Resets terminal lines logging levels Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 88 PRIVILEGED EXEC MODE COMMANDS 3.1.34 mint Privileged Exec Mode Commands Uses MiNT protocol to perform a ping and traceroute to a remote device Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint [ping|traceroute]

mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}

mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|source-

port <1-65535>|timeout <1-255>}

Parameters mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}

ping <MINT-ID>

count <1-10000>

size <1-64000>

timeout <1-10>

Sends a MiNT echo message to a specified destination

<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the pings to the MiNT destination

<1-10000> Specify a value from 1 - 60. The default is 3. Optional. Sets the MiNT payload size in bytes

<1-64000> Specify a value from 1 - 640000 bytes. The default is 64 bytes. Optional. Sets a response time in seconds

<1-10> Specify a value from 1 - 10 seconds. The default is 1 second. mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|

source-port <1-65535>|timeout <1-255>}

traceroute

<MINT-ID>

destination-port

<1-65535>

max-hops <1-255>

source-port

<1-65535>

timeout <1-255>

Prints the route packets trace to a device

<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port

<1-65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction

<1-255> Specify a value from 1 - 255. The default is 30. Optional.Sets the ECMP source port

<1-65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the minimum response time period

<1-255> Specify a value from 1 - 255 seconds. The default is 30 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 89 PRIVILEGED EXEC MODE COMMANDS Example rfs4000-229D58#mint ping 68.88.0D.A7 MiNT ping 68.88.0D.A7 with 64 bytes of data. Response from 68.88.0D.A7: id=1 time=0.364 ms Response from 68.88.0D.A7: id=2 time=0.333 ms Response from 68.88.0D.A7: id=3 time=0.368 ms

--- 68.88.0D.A7 ping statistics ---

3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.333/0.355/0.368 ms rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 90 PRIVILEGED EXEC MODE COMMANDS 3.1.35 mkdir Privileged Exec Mode Commands Creates a new directory in the file system Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mkdir <DIR>

Parameters mkdir <DIR>

<DIR>

Example Specify a directory name. Note: A directory, specified by the <DIR> parameter, is created within the file system. rfs4000-880DA7#dir Directory of flash:/. drwx Tue Sep 27 06:25:15 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Mon Sep 26 10:45:03 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

rfs4000-880DA7#mkdir test rfs4000-880DA7#dir Directory of flash:/. drwx Tue Sep 27 06:25:15 2016 log drwx Tue Sep 27 15:20:01 2016 test drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Mon Sep 26 10:45:03 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 91 PRIVILEGED EXEC MODE COMMANDS 3.1.36 more Privileged Exec Mode Commands Displays files on the devices file system. This command navigates and displays specific files in the devices file system. Provide the complete path to the file more <file>. The more command also displays the startup configuration file. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax more <FILE>

Parameters more <FILE>

<FILE>

Example Specify the file name and location. rfs4000-880DA7#more flash:/archived_logs/startup.5.log 00-07-42-05-30-17 May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/logd"

May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/isDiag"

May 30 05:37:48 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/rim"

May 30 05:37:51 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM May 30 05:38:18 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/cfgd"

May 30 05:38:19 2017: %KERN-6-INFO: up1 { no link }. May 30 05:38:19 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/nsm"

May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/mstp"

May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/hsd"

May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/dpd2.init"

May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/ssm"

--More--

rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 92 PRIVILEGED EXEC MODE COMMANDS 3.1.37 no Privileged Exec Mode Commands Use the no command to revert a command or a set of parameters to their default. This command is useful to turn off an enabled feature or to revert to default settings. The no commands have their own set of parameters that can be reset. These parameters depend on the context in which the command is being used. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adoption|captive-portal|cpe|crypto|debug|logging|page|raid|service|

terminal|upgrade|virtual-machine|wireless]

no adoption {on <DEVICE-OR-DOMAIN-NAME>}

NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it. no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]

{on <DEVICE-OR-DOMAIN-NAME>}

no crypto pki [server|trustpoint]

no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|

on <DEVICE-NAME>}

no logging monitor no page no service [block-adopter-config-update|locator|snmp|ssm|wireless]

no service block-adopter-config-update no service locator {on <DEVICE-NAME>}

no service snmp sysoid wing5 no service ssm trace pattern {<WORD>} {(on <DEVICE-NAME>)}

no service wireless [trace pattern {<WORD>} {(on <DEVICE-NAME>)}|unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]

no terminal [length|width]

no upgrade <PATCH-NAME> {on <DEVICE-NAME>}

no wireless client [all|<MAC>]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 93 PRIVILEGED EXEC MODE COMMANDS no wireless client all {filter|on}

no wireless client all {filter [wlan <WLAN-NAME>]}

no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}

no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}

The following command is available only on the NX95XX series service platforms:

no cpe led cpe [<1-24>|all] {on <T5-DEVICE-NAME>}

no virtual-machine assign-usb-ports {on <DEVICE-NAME>}

no raid locate Parameters no <PARAMETERS>

no <PARAMETERS>

Resets or reverts settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs4000-229D58#no adoption rfs4000-229D58#

rfs6000-81742D#no page rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 94 PRIVILEGED EXEC MODE COMMANDS 3.1.38 on Privileged Exec Mode Commands Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax on rf-domain [<RF-DOMAIN-NAME>|all]

Parameters on rf-domain [<RF-DOMAIN-NAME>|all]

on rf-domain

[<RF-DOMAIN-

NAME>|all]

Enters the RF Domain context based on the parameter specified

<RF-DOMAIN-NAME> Specify the RF Domain name. Enters the specified RF Domain context. all Specifies all RF Domains. Example nx9500-6C8809#on rf-domain TechPubs nx9500-6C8809(TechPubs)#

nx9500-6C8809(TechPubs)#?

on RF-Domain Mode commands:

clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(TechPubs)#?

nx9500-6C8809(TechPubs)#show adoption timeline on TechPubs/ap7562-84A224

--------------------------------------------------------------------------------

-----

AP-NAME RF-DOMAIN LAST-ADOPTION-TIMESTAMP ADOPTED-SINCE

--------------------------------------------------------------------------------

-----

nx9500-6C8809 TechPubs 2016-09-09 00:00:14 7 days 05:19:49 rfs4000-880DA7 TechPubs 2016-09-08 23:59:57 7 days 05:20:06 rfs6000-81742D TechPubs 2016-09-08 05:52:04 7 days 23:27:58

--------------------------------------------------------------------------------

-----

Total number of devices displayed: 3 nx9500-6C8809(TechPubs)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 95 PRIVILEGED EXEC MODE COMMANDS 3.1.39 opendns Privileged Exec Mode Commands Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is more reliable than other available DNS services, and provides the following services: DNS query resolution, Web-

filtering, protection against virus and malware attacks, performance enhancement, etc. This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers. For more information on enabling OpenDNS support, see Enabling OpenDNS Support. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns [APIToken|username]

opendns APIToken <OPENDNS-APITOKEN>

opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

Note, you can use either of the above commands to fetch the device_id from the OpenDNS site. Parameters opendns APIToken <OPENDNS-APITOKEN>

opendns APIToken

<OPENDNS-

APITOKEN>

Fetches the device_id from the OpenDNS site using the OpenDNS API token Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.

<OPENDNS-APITOKEN> Provide the OpenDNS API token (should be a valid token). For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data

(representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>

opendns username

<USERNAME>

Fetches the device_id from the OpenDNS site using the OpenDNS credentials Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.

<USERNAME> Provide the OpenDNS user name (should be a valid OpenDNS username). Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 96 PRIVILEGED EXEC MODE COMMANDS password

<OPENDNS-PSWD>

Configures the password associated with the user name specified in the previous step

<OPENDNS-PSWD> Provide the OpenDNS password (should be a valid OpenDNS password). label <LABEL>

Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.

<LABEL> Specify your network label. For every set of username, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. Example ap7131-E6D512#opendns username bob@examplecompany.com password opendns label company_name Connecting to OpenDNS server... device_id = 0014AADF8EDC6C59 ap7131-E6D512#

nx9600-7F3C7F#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 001480fe36dcb245 nx9600-7F3C7F#

Example Enabling OpenDNS Support The following example shows how to enable OpenDNS support 1 Fetch the OpenDNS device_id from the OpenDNS site. a In the User/Privilege executable mode execute one of the following commands:

nx9500-6C874D#opendns APIToken <OPENDNS-APITOKEN>

nx9500-6C8809#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 001480fe36dcb245 nx9500-6C8809#

OR nx9500-6C8809#opendns username <USERNAME> password <OPENDNS-PSWD> label

<LABEL>

Note, the OpenDNS API token and/or user account credentials are provided the OpenDNS service provider when subscribing for the OpenDNS service. b Apply the device_id fetched in the step 1 to the WLAN. nx9500-6C8809(config-wlan-opendns)#opendns device-id <OPENDNS-DEVICE-ID>

nx9500-6C8809(config-wlan-opendns)#opendns device-id 001480fe36dcb245 nx9500-6C8809(config-wlan-opendns)#show context wlan opendns ssid opendns bridging-mode local encryption-type none authentication-type none opendns device-id 001480fe36dcb245 nx9500-6C8809(config-wlan-opendns)#

Once applied, DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. 2 Configure a DHCP server policy, and set the DHCP pools DNS server configuration to point to the OpenDNS servers. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 97 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#dns-server 208.67.222.222 Note, you can configure any one of the following OpenDNS servers:

208.67.222.222 OR 208.67.222.220 nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#show context dhcp-pool opendnsPool dns-server 208.67.222.222 nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#

3 Apply the DHCP server policy configured in step 2 on the access point, controller, or service platform. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#use dhcp-server-policy opendns nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory

| include use use profile default-nx9000 use rf-domain TechPubs use database-policy default use nsight-policy noc use dhcp-server-policy opendns use auto-provisioning-policy TechPubs nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

When configured, DNS queries are forwarded by the access point, controller, or service platform to the specified OpenDNS resolver. 4 Configure an IP Access Control List with the following permit and deny rules:

nx9500-6C8809(config-ip-acl-OpenDNS)#permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description "allow dns queries only to OpenDNS"

nx9500-6C8809(config-ip-acl-OpenDNS)#deny udp any any eq dns rule-precedence 10 rule-description "block all DNS queries"

nx9500-6C8809(config-ip-acl-OpenDNS)#permit ip any any rule-precedence 100 rule-description "allow all other ip packets"

nx9500-6C8809(config-ip-acl-OpenDNS)#show context ip access-list OpenDNS permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description

"allow dns queries only to OpenDNS"

deny udp any any eq dns rule-precedence 10 rule-description "block all dns queries"

permit ip any any rule-precedence 100 rule-description "allow all other ip packets"

nx9500-6C8809config-ip-acl-OpenDNS)#

When configured and applied in the WLAN context, the IP ACL prevents wireless clients from adding their own DNS servers to bypass the Web filtering and network policies enforced by OpenDNS. 5 Apply the IP ACL configured in step 4 in the WLAN context. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 98 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809(config-wlan-opendns)#use ip-access-list out OpenDNS nx9500-6C8809(config-wlan-opendns)#show context wlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none use ip-access-list in OpenDNS use ip-access-list out OpenDNS opendns device-id 0014AADF8EDC6C59 nx9500-6C8809(config-wlan-opendns)#

When applied to the WLAN, only the DNS queries directed to the OpenDNS server are forwarded. All other DNS queries are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 99 PRIVILEGED EXEC MODE COMMANDS 3.1.40 page Privileged Exec Mode Commands Toggles controller paging. Enabling this command displays the CLI command output page by page, instead of running the entire output at once. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax page Parameters None Example rfs6000-81742D#page rfs6000-81742D#

Related Commands no Disables controller paging Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 100 PRIVILEGED EXEC MODE COMMANDS 3.1.41 ping Privileged Exec Mode Commands Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|

source [<IP>|pppoe|vlan <1-4094>|wwan]}

Parameters ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|

source [<IP>|pppoe|vlan <1-4094>|wwan]}

<IP/HOSTNAME>

count <1-10000>

dont-fragment

{count|size}

Specify the destination IP address or hostname to ping. When entered without any parameters, this command prompts for an IP address or a hostname. Optional. Sets the pings to the specified destination

<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the dont-fragment bit in the ping packet. Packets with the dont-

fragment bit specified, are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified Maximum Transmission Unit (MTU) value, an error message is sent from the device trying to fragment it. count <1-10000> Sets the pings to the specified destination from 1 - 10000. The default is 5. size <1-64000> Sets the size of ping payload size from 1 - 64000 bytes. The default is 100 bytes. size <1-64000>

Optional. Sets the ping packets size in bytes

<1-64000> Specify the ping payload size from 1 - 64000 bytes. The default is 100 bytes. source [<IP>|pppoe|

vlan <1-4094>|wwan]

Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.

<IP> Specifies the source IP address pppoe Selects the PPP over Ethernet interface vlan <1-4094> Selects the VLAN interface from 1 - 4094 wwan Selects the wireless WAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 101 PRIVILEGED EXEC MODE COMMANDS Example rfs6000-81742D#ping 192.168.13.13 count 4 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.356 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.211 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.199 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.215 ms

--- 192.168.13.13 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.199/0.245/0.356/0.065 ms rfs6000-81742D#

rfs6000-81742D#ping 10.233.89.182 source vlan 1 PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data. From 192.168.13.2 icmp_seq=1 Packet filtered From 192.168.13.2 icmp_seq=2 Packet filtered From 192.168.13.2 icmp_seq=3 Packet filtered From 192.168.13.2 icmp_seq=4 Packet filtered From 192.168.13.2 icmp_seq=5 Packet filtered

--- 10.233.89.182 ping statistics ---

5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997ms rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 102 PRIVILEGED EXEC MODE COMMANDS 3.1.42 ping6 Privileged Exec Mode Commands Sends ICMPv6 echo messages to a user-specified IPv6 address Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping6 <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}

Parameters ping <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}

<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.

<INTF-NAME>

count <1-10000>

Optional. Specify the interface name for link local/broadcast address Optional. Sets the pings to the specified IPv6 destination

<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the IPv6 ping payload size in bytes

<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. size <1-64000>

Usage Guidelines To configure a devices IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address <IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6. Example rfs4000-880DA7#ping6 2001:10:10:10:10:10:10:2 count 6 size 200 PING 2001:10:10:10:10:10:10:2(2001:10:10:10:10:10:10:2) 200 data bytes 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=1 ttl=64 time=0.509 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=2 ttl=64 time=0.323 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=3 ttl=64 time=0.318 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=4 ttl=64 time=0.317 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=5 ttl=64 time=0.314 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=6 ttl=64 time=0.318 ms

--- 2001:10:10:10:10:10:10:2 ping statistics ---

6 packets transmitted, 6 received, 0% packet loss, time 4999ms rtt min/avg/max/mdev = 0.314/0.349/0.509/0.075 ms rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 103 PRIVILEGED EXEC MODE COMMANDS 3.1.43 pwd Privileged Exec Mode Commands Displays the full path of the present working directory, similar to the UNIX pwd command Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax pwd Parameters None Example rfs4000-229D58#pwd flash:/

rfs4000-229D58#

rfs4000-229D58#dir Directory of flash:/. drwx Mon Feb 8 17:37:21 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Thu Nov 12 17:55:02 2015 crashinfo drwx Mon Feb 8 17:34:21 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 104 PRIVILEGED EXEC MODE COMMANDS 3.1.44 re-elect Privileged Exec Mode Commands Re-elects the tunnel controller (wireless controller or service platform) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}

Parameters re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}

re-elect tunnel-controller

<WORD>

{on <DEVICE-

NAME>}

Re-elects the tunnel controller Optional. Re-elects the tunnel controller on all devices whose preferred tunnel controller name matches <WORD>

on <DEVICE-NAME> Optional. Re-elects the tunnel controller on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example rfs4000-880DA7#re-elect tunnel-controller OK rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 105 PRIVILEGED EXEC MODE COMMANDS 3.1.45 reload Privileged Exec Mode Commands Halts a device or devices and performs a warm reboot Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax reload {<DEVICE-MAC-OR-HOSTNAME>|at|cancel|force|in|on|staggered}

reload {(<DEVICE-MAC-OR-HOSTNAME>)}

reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}

reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}

reload {force} {(<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>|staggered)}

reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}

reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|

on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-domain-

manager|filter <DEVICE-TYPE>}

reload {in <1-999>} {list|on}

reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}

reload {in <1-999>} {on <DEVICE-OR-DOMAIN-NAME>}

reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-

domain-manager|filter <DEVICE-TYPE>}

reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing

<WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

Parameters reload {(<DEVICE-MAC-OR-HOSTNAME>)}

reload

<DEVICE-MAC-OR-

HOSTNAME>

Initiates device(s) reload and configures associated parameters The following keyword is recursive and allows you to specify multiple devices:

<DEVICE-MAC-OR-HOSTNAME> Optional. Reloads a specified device(s), identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. If no device is specified, the system reloads the logged device. reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}

reload at Initiates device(s) reload and configures associated parameters at Optional. Schedules a reload at a specified time and day. Use the following keywords to specify the time and day: <TIME>, <1-31>, <MONTH>, and <1993-2035>.

<TIME>

Specifies the time in the HH:MM:SS format Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 106 PRIVILEGED EXEC MODE COMMANDS

<1-31>

<MONTH>

<1993-2035>

on <DEVICE-OR-

DOMAIN-NAME>

Specifies the day of the month from 1 - 31 Specifies the month from Jan - Dec Specifies the year from 1993 - 2035. It should be a valid 4 digit year. Optional. Performs reload at the scheduled time, on a specified device or all devices within a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. When a RF Domain name is provided, all devices within the specified RF Domain are reloaded at the scheduled time. If no device is specified, the reload is scheduled on the logged device. reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}

reload cancel on <DEVICE-OR-

DOMAIN-NAME>

Cancels pending/scheduled reloads of device(s) cancel Optional. Cancels all pending reloads on <DEVICE-OR-DOMAIN-NAME> Optional. Cancels reloads pending on a specified device or all devices within a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. If no device is specified, the system cancels reloads pending on the logged device. reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}

reload force

<DEVICE-MAC-OR-

HOSTNAME>

Initiates device(s) reload and configures associated parameters force Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain. This keyword is recursive and allows you to specify multiple devices.

<DEVICE-MAC-OR-HOSTNAME> Optional. Forces a reload on a specified device identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. When executed, the specified device(s) are forced to halt and a warm reboot is performed. If no device is specified, the system forcefully reloads the logged device. reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-

HOSTNAME>|on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-

domain-manager|filter <DEVICE-TYPE>}

reload force on <DOMAIN-NAME>

staggered Initiates device(s) reload and configures associated parameters force Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain. Optional. Forces a reload on all devices in a RF Domain

<DOMAIN-NAME> Optional. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed. staggered Optional. Enables staggered reload of devices (one at a time) with-

out network impact. Use this option when rebooting multiple devices within an RF Domain. When executed, all devices within the specified RF Domain are forced to halt and reboot in a staggered manner. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 107 staggered

{<DEVICE-MAC-OR-

HOSTNAME>|

on <DOMAIN-NAME>}

{containing <WORD>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-TYPE>}

PRIVILEGED EXEC MODE COMMANDS Optional. Enables staggered reload of devices (one at a time) without network impact

<DEVICE-MAC-OR-HOSTNAME> Optional. Forces a reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are forced to halt and a warm reboot is performed. on <DOMAIN-NAME> Optional. Forces a reload on all devices in a RF Domain. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed. If no device or RF Domain is specified, the system forcefully reloads the logged device. When forcefully reloading devices in a RF Domain, you can use following options to filter specific devices or device types:

containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames

<WORD> Optional. Provide the sub-string to match. All devices having host-

names containing the provided sub-string are filtered and forcefully reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.

<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}

reload in <1-999>

Initiates device(s) reload and configures associated parameters in Optional. Performs a reload after a specified time period

<1-999> Specify the time from 1 - 999 minutes list {<LINE>|all}

Optional. Reloads all adopted devices or specified devices

<LINE> Optional. Reloads listed devices. List all devices (to be reloaded) separated by a space. on <DEVICE-OR-

DOMAIN-NAME>

all Optional. Reloads all devices adopted by this controller Optional. Reloads a specified device or all devices within a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 108 PRIVILEGED EXEC MODE COMMANDS reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-

domain-manager|filter <DEVICE-TYPE>}

reload on <DOMAIN-NAME>

Initiates device(s) reload and configures associated parameters on <DOMAIN-NAME> Optional. Enables reload of all devices in a RF Domain

{containing <WORD>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-TYPE>}

<DOMAIN-NAME> Specify the name of the RF Domain. When executed, all de-

vices within the specified RF Domain are immediately halted and a warm reboot is performed. If no RF Domain is specified, the system reloads the logged device. When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:

containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames.

<WORD> Optional. Provide the sub-string to match. All devices having host-

names containing the provided sub-string are filtered and forcefully reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device to reload. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.

<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. All devices of the type specified are reloaded. reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing

<WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}

reload staggered Initiates device(s) reload and configures associated parameters staggered Optional. Enables staggered reload of devices (one at a time) without network impact

{<DEVICE-MAC-OR-

HOSTNAME>|

on <DOMAIN-NAME>}

Use one of the following options to specify a single device, multiple devices, or a RF Domain

<DEVICE-MAC-OR-HOSTNAME> Optional. Performs staggered reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are halted and a warm reboot is performed. Multiple devices are halted and rebooted one at a time without impacting network functioning. Contd..

<DOMAIN-NAME> Optional. Performs staggered reload of all devices in a RF Domain. Specify the name of the RF Domain. When executed, devices in the specified RF Domain are halted and rebooted one at a time without impacting network functioning. Use additional filter options to filter devices in the specified RF Domain. If no device or RF Domain is specified, the system reloads the logged device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 109

{containing <WORD>|

exclude-controllers|

exclude-rf-domain-

manager|

filter <DEVICE-TYPE>}

PRIVILEGED EXEC MODE COMMANDS When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:

containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames.

<WORD> Optional. Provide the sub-string to match. All devices having host-

names containing the provided sub-string are filtered and reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are reloaded.

<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. Example rfs7000-6DCD4B#reload at 12:30:00 31 Mar 2015 on rfs6000-81742D Reload scheduled at 2015-03-31 12:30:00 UTC ... rfs7000-6DCD4B#

rfs7000-6DCD4B#reload cancel on rfs6000-81742D Scheduled reload cancelled. rfs7000-6DCD4B#

The following example schedules a reload on all non-controller devices in the RF Domain default:

rfs7000-6DCD4B#reload on default exclude-controllers ap8132-711728: OK rfs7000-6DCD4B#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 110 PRIVILEGED EXEC MODE COMMANDS 3.1.46 rename Privileged Exec Mode Commands Renames a file in the devices file system Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rename <OLD-FILE-NAME> <NEW-FILE-NAME>

Parameters rename <OLD-FILE-NAME> <NEW-FILE-NAME>

<OLD-FILE-NAME>

<NEW-FILE-NAME>

Specify the file to rename. Specify the new file name. Example rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Fri Sep 16 05:26:37 2016 testdir drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

rfs4000-880DA7#rename flash:/testdir/ Final rfs4000-880DA7#

rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Fri Sep 16 05:26:37 2016 Final drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 111 PRIVILEGED EXEC MODE COMMANDS 3.1.47 rmdir Privileged Exec Mode Commands Deletes an existing directory from the file system (only empty directories can be removed) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rmdir <DIR>

Parameters rmdir <DIR>

rmdir <DIR>

Specifies the directory name Note: The directory, specified by the <DIR> parameter, is removed from the file system. Example rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Fri Sep 16 05:26:37 2016 Final drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

rfs4000-880DA7#rmdir Final rfs4000-880DA7#

rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 112 PRIVILEGED EXEC MODE COMMANDS 3.1.48 self Privileged Exec Mode Commands Enters the logged devices configuration context Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax self Parameters None Example rfs6000-81742D#self Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config-device-00-15-70-81-74-2D)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 113 PRIVILEGED EXEC MODE COMMANDS 3.1.49 ssh Privileged Exec Mode Commands Opens a Secure Shell (SSH) connection between two network devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}

Parameters ssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}

<IP/HOSTNAME>

<USERNAME>

<INF-NAME/

LINK-LOCAL-ADD>

Usage Guidelines Specify the remote systems IP address or hostname. Specify the name of the user requesting the SSH connection. Optional. Specify the interfaces name or link local address. To exit the other devices context, use the command that is relevant to that device. Example nx9500-6C8809#ssh 192.168.13.16 admin admin@192.168.13.16's password:

rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 114 PRIVILEGED EXEC MODE COMMANDS 3.1.50 t5 Privileged Exec Mode Commands Executes following operations on a T5 device through the WiNG controller:

copy, rename, and delete files on the T5 devices file system write running configuration to the T5 devices memory The T5 switch is a means of providing cost-effective, high-speed, wall-to-wall coverage across a building. The T5 switch leverages the in-building telephone lines to extend Ethernet and Wireless LAN networks without additional expenditure on re-wiring. This setup is ideally suited for hotels, providing high-speed Wi-Fi coverage to guest rooms. The entire setup consists of the DSL T5 switch, TW-510 Ethernet wallplates, and TW-511 wireless wallplate access points. Replace the phone jack plate in a room with the TW-511 delivers 802.11 a/b/g/n and extend wireless connectivity in that room and the neighboring rooms. These TW-511 wallplates (also referred to as the CPEs) are connected to the T5 switch over the DSL interface using a phone block. The T5 switch is adopted and managed through a WiNG controller. The connection between the T5 and WiNG switches is over a WebSocket. NOTE: For more information on other T5 CPE related commands, see cpe. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-

FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}

Parameters t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-

FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}

copy

<SOURCE-FILE-

NAME>

<DEST-FILE-NAME>

delete <FILE-NAME>

Copies file to an external server

<SOURCE-FILE-NAME> Specify the source file name.

<DEST-FILE-NAME> Specify the destination file name. The content from the source file is copied to the destination file. The source or destination files can be local or remote FTP or TFTP files. The source file also can be a pre-defined keyword. At least one of the files should be a local file. Use this command to copy the startup and/or running configurations to an external server. Deletes files on the T5 devices file system

<FILE-NAME> Specify the file name. The specified file is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 115 PRIVILEGED EXEC MODE COMMANDS rename

<SOURCE-FILE-

NAME>

<DEST-FILE-NAME>

write memory on <T5-DEVICE-

NAME>

Renames a file on the T5 devices file system

<SOURCE-FILE-NAME> Specify the source file name

<DEST-FILE-NAME> Specify the new file name. The source file is renamed to the input provided here. Writes running configuration to an adopted T5 devices memory memory Writes running configuration to the T5 devices non-volatile (NV) memory. Optional. Executes these operation on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. Example nx9500-6C8809#t5 write memory on t5-ED7C6C Success nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 116 PRIVILEGED EXEC MODE COMMANDS 3.1.51 telnet Privileged Exec Mode Commands Opens a Telnet session between two network devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

Parameters telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}

<IP/HOSTNAME>

<TCP-PORT>

<INTF-NAME>

Usage Guidelines Configures the remote systems IP (IPv4 or IPv6) address or hostname. The Telnet session will be established between the connecting system and the remote system.

<IP> Specify the remote systems IPv4 or IPv6 address or hostname. Optional. Specify the Transmission Control Protocol (TCP) port. Optional. Specify the interface name for the link local address. To exit the other devices context, use the command relevant to that device. Example nx9500-6C8809#telnet 192.168.13.22 Entering character mode Escape character is '^]'. AP7131 release 5.9.0.0-012D ap7131-11E6C4 login: admin Password:

ap7131-11E6C4>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 117 PRIVILEGED EXEC MODE COMMANDS 3.1.52 terminal Privileged Exec Mode Commands Sets the number of characters per line, and the number of lines displayed within the terminal window Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terminal [length|width] <0-512>

Parameters terminal [length|width] <0-512>

length <0-512>

width <0-512>

Sets the number of lines displayed on the terminal window

<0-512> Specify a value from 0 - 512. Sets the width or number of characters displayed on the terminal window

<0-512> Specify a value from 0 - 512. Example rfs6000-81742D#terminal length 150 rfs6000-81742D#terminal width 215 rfs6000-81742D#show terminal Terminal Type: xterm Length: 150 Width: 215 rfs6000-81742D#

Related Commands no Resets the width of the terminal window or the number of lines displayed on a terminal window Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 118 PRIVILEGED EXEC MODE COMMANDS 3.1.53 time-it Privileged Exec Mode Commands Verifies the time taken by a particular command between request and response Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-it <COMMAND>

Parameters time-it <COMMAND>

time-it <COMMAND>

Verifies the time taken by a particular command to execute and provide a result

<COMMAND> Specify the command name. Example rfs6000-81742D#time-it config terminal Enter configuration commands, one per line. End with CNTL/Z. That took 0.00 seconds.. rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 119 PRIVILEGED EXEC MODE COMMANDS 3.1.54 traceroute Privileged Exec Mode Commands Traces the route to a defined destination Use --help or -h to display a complete list of parameters for the traceroute command Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute <WORD>

Parameters traceroute <WORD>

<WORD>

Traces the route to a IP address or hostname

<WORD> Specify the IPv4 address or hostname. Example nx9500-6C8809#traceroute 192.168.13.16 traceroute to 192.168.13.16 (192.168.13.16), 30 hops max, 46 byte packets 1 192.168.13.16 (192.168.13.16) 0.479 ms 0.207 ms 0.199 ms nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 120 PRIVILEGED EXEC MODE COMMANDS 3.1.55 traceroute6 Privileged Exec Mode Commands Traces the route to a specified IPv6 destination Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute6 <WORD>

Parameters traceroute6 <WORD>

traceroute6 <WORD>

Traces the route to a IPv6 address or hostname

<WORD> Specify the IPv6 address or hostname. Example rfs4000-880DA7#traceroute6 2001:10:10:10:10:10:10:2 traceroute to 2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2) from 2001:10:10:10:10:10:10:1, 30 hops max, 16 byte packets 1 2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2) 0.622 ms 0.497 ms 0.531 ms rfs4000-880DA7#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 121 PRIVILEGED EXEC MODE COMMANDS 3.1.56 upgrade Privileged Exec Mode Commands Upgrades a devices software image Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax upgrade [<FILE>|<URL>|dhcp-vendor-options]

upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}

upgrade dhcp-vendor-options {<DEVICE-NAME>|on <RF-DOMAIN-NAME>}

upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}

upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-

STRING>|exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}

Parameters upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}

<FILE>

Specify the target firmware image location in the following format:

cf:/path/file usb1:/path/file usb2:/path/file usb<n>:/path/file

<URL>

Specify the target firmware image location. Use one of the following formats:

IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Optional. Performs upgrade in the background background Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 122 PRIVILEGED EXEC MODE COMMANDS on

<DEVICE-NAME>

on <RF-DOMAIN-

NAME>

Optional. Upgrades the software image on a specified remote device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Optional. Upgrades the software image on all devices within a specified RF Domain

<RF-DOMAIN-NAME> Specify the name of the RF Domain. upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}

dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)

<DEVICE-NAME>

{<DEVICE-NAME>}

Optional. Uses DHCP vendor options to upgrade a specified device. Specify the name of the AP, wireless controller, or service platform.

<DEVICE-NAME> Optional. You can optionally specify multiple comma-separated device names/MAC addresses to upgrade. upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|

exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}

dhcp-vendor-options Uses DHCP vendor options to upgrade device(s) on <RF-DOMAIN-

NAME>

{containing <SUB-

STRING>|

exclude-controllers|

exclude-rf-domain-

managers|

filter <DEVICE-

TYPE>}

Optional. Uses DHCP vendor options to upgrade all devices or specified device(s) within the RF Domain identified by the <RF-DOMAIN-NAME> keyword

<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, all devices within the RF Domain are upgraded. These filters are:

containing <SUB-STRING> Optional. Upgrades all devices, within the specified RF Domain, containing a specified sub-string in their hostname

<SUB-STRING> Specify the sub-string to match. exclude-controllers Optional. Upgrades all devices, within the specified RF Domain, excluding controllers. Since only a NOC controller is capable of adopting other control-

lers, use this option when executing the command on a NOC controller. exclude-rf-domain-manager Optional. Upgrades all devices, within the specified RF Domain, excluding RF Domain managers. Use this option when executing the com-

mand on the NOC, Site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices, within the specified RF Domain, of a specified type

<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. Upgrades all devices of the type specified here. For example, if AP6521 is the device-type specified, all AP6521s within the specified RF Domain are up-

graded Example nx9500-6C8809#show boot

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 02/05/2017 14:33:58 02/11/2017 12:27:53 5.9.0.0-024D Secondary 02/01/2017 21:36:24 02/03/2017 12:05:48 5.8.6.0-007B

--------------------------------------------------------------------------------

Current Boot : Secondary Next Boot : Primary Software Fallback : Enabled VM support : Not presentt nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 123 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/

NX9500.img Running from partition /dev/sda7 Validating image file header Removing other partition Making file system Extracting files (this may take some time)........................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................ Control C disabled Version of firmware update file is 5.9.0.0-026D Removing unneeded files from flash:/crashinfo directory Removing unneeded files from flash:/var2/log directory Creating LILO files Running LILO Successful nx9500-6C8809#

nx9500-6C8809#show boot

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 05/01/2017 12:03:13 05/10/2017 10:12:53 5.9.0.0-026D Secondary 05/01/2017 19:30:21 05/02/2017 10:05:48 5.9.0.0-007B

--------------------------------------------------------------------------------

Current Boot : Secondary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#

After upgrading, the device has to be reloaded to boot using the new image. nx7500-7F3609#upgrade tftp://192.168.0.50/RFS6000-5.9.0.-012D.img rfs6000-6DCBB3

--------------------------------------------------------------------------------

DEVICE STATUS MESSAGE

--------------------------------------------------------------------------------

rfs6000-6DCBB3 Success None

--------------------------------------------------------------------------------

nx7500-7F3609#show upgrade-status Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-03-26 10:31:12 nx7500-7F3609#

The following example shows the upgrade status:

nx7500-7F3609#show upgrade detail Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-03-26 10:31:12

-----------------------------------------------

Running from partition /dev/sda7 var2 is 2 percent full

/tmp is 2 percent full Free Memory 15258044 kB FWU invoked via Linux shell Validating image file header Removing other partition Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 124 PRIVILEGED EXEC MODE COMMANDS Making file system Extracting files (this may take some time). Control C disabled Version of firmware update file is 5.9.0.-012D Creating LILO files Running LILO Successful nx7500-7F3609#

nx7500-7F3609#show upgrade on rfs6000-6DCBB3 Last Image Upgrade Status :Successful Last Image Upgrade Time :2017-03-26 10:31:12 nx7500-7F3609#

Related Commands no Removes a patch installed on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 125 PRIVILEGED EXEC MODE COMMANDS 3.1.57 upgrade-abort Privileged Exec Mode Commands Aborts an ongoing software image upgrade Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}

Parameters upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}

upgrade-abort on <DEVICE-OR-

DOMAIN-NAME>

Aborts an ongoing software image upgrade Optional. Aborts an ongoing software image upgrade on a specified device or domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/

RFS4000-5.9.0.0-012D.img Running from partition /dev/mtdblock6 Validating image file header Making file system Extracting files (this may take some time).................. rfs6000-81701D#upgrade-abort on rfs4000-229D58 rfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/

RFS4000-5.9.0.0-012D.img.img Running from partition /dev/mtdblock6 Validating image file header Making file system Extracting files (this may take some time).................. Update error: Aborted rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 126 PRIVILEGED EXEC MODE COMMANDS 3.1.58 virtual-machine Privileged Exec Mode Commands Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controller Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax virtual-machine [assign-usb-ports|export|install|restart|set|start|

stop|uninstall]

virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]

virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]

virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|

vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-

INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

The following virtual-machine commands are supported only on the VX9000 platform:

virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-

group]

virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>

virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-

DEVICE-LABEL>

virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>

Parameters virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}

assign-usb-ports team-

vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on <DEVICE-NAME> Optional. Specify the device name. Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG. Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-

VoWLAN. virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}

virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.

<VM-NAME> Specify the VM name.

<FILE> Specify the location and name of the source file (VM image). The VM image is retrieved and exported from the specified location.

<URL> Specify the destination location. This is the location to which the VM im-

age is copied. Use one of the following formats to provide the destination path:

Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 127 PRIVILEGED EXEC MODE COMMANDS tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. Note: The VM should be in a stop state during the export process. Note: If the destination is a device, the image is copied to a predefined location (VM archive). virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:

<VM-NAME> Installs a VM having name specified by <VM-NAME> keyword. adsp Installs ADSP team-centro Installs the VM TEAM-Centro image team-rls Installs the VM TEAM-RLS image team-vowlan Installs the VM TEAM-VoWLAN image Specify the device on which to install the VM. on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|

vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-

INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine set Configures the VM settings autostart Specifies whether to autostart the VM on system reboot ignore Enables autostart on each system reboot start Disables autostart memory Defines the VM memory size

<512-8192> Specify the VM memory from 512 - 8192 MB. The default is 1024 MB. vcpus Specifies the number of VCPUS for this VM

<1-4> Specify the number of VCPUS from 1- 4. vif-count Configures or resets the VM's VIFs

<0-2> Specify the VIF number from 0 - 2. vif-mac Configures the MAC address of the selected virtual network interface

<1-2> Select the VIF

<1-8> Specify the MAC index for the selected VIF

<MAC> Specify the customized MAC address for the selected VIF in the AA-BB-

CC-DD-EE-FF format. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 128 PRIVILEGED EXEC MODE COMMANDS Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the set keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VMs interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-

to-vmif command to map a VIF to a VMIF on the DP bridge. vif-to-vmif Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8. WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing. By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules. vnc Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client. disable Disables VNC port enable Enables VNC port After configuring the VM settings, identify the VM to apply the settings.

<VM-NAME> Applies these settings to the VM identified by the <VM-NAME>

keyword. Specify the VM name. adsp Applies these settings to the ADSP VM team-urc Applies these settings to the VM TEAM-URC team-rls Applies these settings to the VM TEAM-RLS team-vowlan Applies these settings to the VM TEAM-VoWLAN virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:

<VM-NAME> Starts the VM identified by the <VM-NAME> keyword. Specify the VM name. adsp Starts the ADSP VM team-urc Starts the VM TEAM-URC team-rls Starts the VM TEAM-RLS team-vowlan Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple devic-

es, list the device names separated by commas. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 129 PRIVILEGED EXEC MODE COMMANDS virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine stop hard Stops the VM, based on the parameters passed. Select one of the following options:

<VM-NAME> Stops the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Stops the ADSP VM team-urc Stops the VM TEAM-URC team-rls Stops the VM TEAM-RLS team-vowlan Stops the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple de-

vices, list the device names separated by commas. Note: The option hard forces the selected VM to shutdown. virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]

{on <DEVICE-NAME>}

virtual-machine uninstall Uninstalls the specified VM

<VM-NAME> Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Uninstalls the ADSP VM team-urc Uninstalls the VM TEAM-URC team-rls Uninstalls the VM TEAM-RLS team-vowlan Uninstalls the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Executes the command on a specified device or devices

<DEVICE-NAME> Specify the service platform name. In case of multiple de-

vices, list the device names separated by commas. Note: This command releases the VMs resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system. virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]

virtual-machine volume-group [add-

drive|resize-drive]

<BLOCK-DEVICE-

LABEL>]

Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation. Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 130 PRIVILEGED EXEC MODE COMMANDS add-drive Adds a new block-device to the VM. Note, currently a maximum of 3

(three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command. resize-drive - Resizes a drive in the VMs volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command. The following keyword is common to all of the above parameters:

<BLOCK-DEVICE-LABEL> Specify the block-device label to be added or resized depending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-

DEVICE-LABEL>]

virtual-machine volume-group replace-

drive <BLOCK-DEVICE-

LABEL> <NEW-BLOCK-

DEVICE-LABEL>]

Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. replace-drive Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group >

status command

<BLOCK-DEVICE-LABEL> Specify the block-device label to be replaced.

<BLOCK-DEVICE-LABEL> Specify the replacement block-device label. virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]

virtual-machine volume-group resize-

volume-group <BLOCK-

DEVICE-LABEL>]

Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives resize-volume-group Adds drive space to an existing block-device in the volume-

group

<BLOCK-DEVICE-LABEL> Specify the block-device label to which additional drive space is to be provided Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 131 Example PRIVILEGED EXEC MODE COMMANDS The following examples show the VM installation process:

Insatllation media: USB

<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable Installation media: pre-installed disk image

<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/

win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on

<DEVICE-NAME>

In the preceding example, the command is executed on the device identified by the

<DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device. Installation media: VM archive

<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-

NAME> vcpus 3 In the preceding example, the default configuration attached with the VM archive overrides any parameters specified. Exporting an installed VM:

<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>

In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state). nx9500-6C8809#virtual-machine install team-urc Virtual Machine install team-urc command successfully sent. nx9500-6C8809#

vx9000-DE6F97>cirtual-machine add-drive sdb vx9000-DE6F97>show virtual-machine volume-group status

-----------------------------------------

Logical Volume: lv1

-----------------------------------------

STATUS : available SIZE : 81.89 GiB VOLUME GROUP : vg0 PHYSICAL VOLUMES :

sda10 : 73.90 GiB sdc1 : 8.00 GiB AVAILABLE DISKS :

sdb : size: 8590MB

-----------------------------------------

* indicates a drive that must be resized

-----------------------------------------

vx9000-DE6F97#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 132 PRIVILEGED EXEC MODE COMMANDS 3.1.59 watch Privileged Exec Mode Commands Repeats a specified CLI command at periodic intervals Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax watch <1-3600> <LINE>

Parameters watch <1-3600> <LINE>

watch <1-3600>

<1-3600>

<LINE>

Example Repeats a CLI command at a specified interval Select an interval from 1 - 3600 seconds. Pressing CTRL-Z halts execution of the command. Specify the CLI command name. rfs6000-81742D#watch 1 show clock rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 133 PRIVILEGED EXEC MODE COMMANDS 3.1.60 exit Privileged Exec Mode Commands Ends the current CLI session and closes the session window For more information, see exit. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example rfs6000-81742D#exit Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 134 PRIVILEGED EXEC MODE COMMANDS 3.1.61 raid Privileged Exec Mode Commands Enables Redundant Array of Independent Disks (RAID) management RAID is a group of one or more independent, physical drives, referred to as an array or drive group, These physically independent drives are linked together and appear as a single storage unit or multiple virtual drives. Replacing a single, large drive system with an array, improves performance (input and output processes are faster) and increases fault tolerance within the data storage system. In an array, the drives can be organized in different ways, resulting in different RAID types. Each RAID type is identified by a number, which determines the RAID level. The common RAID levels are 0, 00, 1, 5, 6, 50 and 60. The WiNG MegaRAID implementation supports RAID-1, which provides data mirroring, but does not support data parity. RAID-1 consists of a two-drive array, where the data is simultaneously written on both drives, ensuring total data redundancy. In case of a drive failure the information on the other drive is used to rebuild the failed drive. An array is said to be degraded when one of its drives has failed. A degraded array continues to function and can be rebooted using the one remaining functional drive. When a drive fails, the chassis sounds an alarm (if enabled), and the CLI prompt changes to RAID degraded. The failed drive is automatically replaced with a hot spare (provided a spare is installed). The spare is used to re-build the array. Use this command to:

Verify the current array status Start and monitor array consistency checks Retrieve date and time of the last consistency check Shut down drives before physically removing them Install new drives Assign drives as hot spares Identify a degraded drive Deactivate an alarm (triggered when a drive is removed from the array) Supported in the following platforms:

Service Platforms NX7530, NX9500, NX9510 NOTE: RAID controller drive arrays are available within NX7530 and NX95XX series service platforms (NX9500 and NX9510 models) only. However, they can be administrated on behalf of a NX9500 profile by a different model service platform or controller. The NX9500 service platform includes a single Intel MegaRAID controller, configured to provide a single virtual drive. This virtual drive is of the RAID-1 type, and has a maximum of two physical drives. In addition to these two drives, there are three hot spares, which are used in case of a primary drive failure. Syntax raid [check|install|locate|remove|silence|spare]

raid [check|silence]

raid [install|locate|remove|spare] drive <0-4>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 135 PRIVILEGED EXEC MODE COMMANDS Parameters raid [check|silence]

check silence Starts a consistency check on the RAID array. Use the show > raid command to view consistency check status. A consistency check verifies the data stored in the array. When regularly executed, it helps protect against data corruption, and ensures data redundancy. Consistency checks also warn of potential disk failures. Deactivates an alarm When enabled, an audible alarm is triggered when a drive in the array fails. The silence command deactivates the alarm (sound). Note: To enable RAID alarm, in the device configuration mode, use the raid > alarm >

enable command. A NX9500 profile can also have the RAID alarm feature activated. For more information on the enabling RAID alarm, see raid. raid [install|locate|remove|spare] drive <0-4>

install <0-4>

locate <0-4>

remove <0-4>

spare <0-4>

Installs a new drive, inserted in one of the available slots, in the array. Specify the drive number. Drives 0 and 1 are the array drives. Drives 2, 3, and 4 are the hot spare drives. You can include the new drive in a degraded array, or enable it as a hot spare. If the array is in a degraded state, the re-build process is triggered and the new drive is used to repair the degraded array. Enables LEDs to blink on a specified drive. Specify the drive number. Blinking LEDs enable you correctly locate a drive. Removes (shuts downs) a disk from the array, before it is physically removed from its slot. Specify the drive number containing the disk. Use this command to also remove a hot spare. Converts an unused drive into a hot spare. Specify the drive number. Example nx9500-6C874D#raid install drive 0 Error: Input Error: Drive 0 is already member of array, can't be added nx9500-6C874D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 136 4 GLOBAL CONFIGURATION COMMANDS This chapter summarizes the global-configuration commands in the CLI command structure. The term global indicates characteristics or features effecting the system as a whole. Use the Global Configuration Mode to configure the system globally, or enter specific configuration modes to configure specific elements (such as interfaces or protocols). Use the configure terminal command (under PRIV EXEC) to enter the global configuration mode. The following example describes the process of entering the global configuration mode from the PRIV EXEC mode:

<DEVICE>#configure terminal

<DEVICE>(config)#

NOTE: The system prompt changes to indicate you are now in the global configuration mode. The prompt consists of the device host name followed by (config) and a pound sign (#). Commands entered in the global configuration mode update the running configuration file as soon as they are entered. However, these changes are not saved in the startup configuration file until a commit write memory command is issued.

<DEVICE>(config)#?

Global configuration commands:

aaa-policy Configure a authentication/accounting/authorization policy aaa-tacacs-policy Configure an authentication/accounting/authorization TACACS policy alias Alias ap621 AP621 access point ap622 AP622 access point ap650 AP650 access point ap6511 AP6511 access point ap6521 AP6521 access point ap6522 AP6522 access point ap6532 AP6532 access point ap6562 AP6562 access point ap71xx AP71XX access point ap7502 AP7502 access point ap7522 AP7522 access point ap7532 AP7532 access point ap7562 AP7562 access point ap7602 AP7602 access point ap7612 AP7612 access point ap7622 AP7622 access point ap7632 AP7632 access point ap7662 AP7662 access point ap81xx AP81XX access point ap82xx AP82XX access point ap8432 AP8432 access point ap8533 AP8533 access point application Configure an application application-group Configure an application-group application-policy Configure an application policy association-acl-policy Configure an association acl policy auto-provisioning-policy Configure an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Bonjour Gateway discovery policy bonjour-gw-forwarding-policy Bonjour Gateway forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1 GLOBAL CONFIGURATION COMMANDS bonjour-gw-query-forwarding-policy Bonjour Gateway Query forwarding policy captive-portal Configure a captive portal clear Clear client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) clone Clone configuration object crypto-cmp-policy CMP policy customize Customize the output of summary cli commands database-client-policy Configure database client policy database-policy Configure database policy device Configuration on multiple devices device-categorization Configure a device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Configure a whitelist event-system-policy Configure a event system policy ex3500 Ex3500 device ex3500-management-policy Configure a ex3500 management policy ex3500-qos-class-map-policy Configure a ex3500 qos class-map policy ex3500-qos-policy-map Configure a ex3500 qos policy-map ex3524 EX3524 wireless controller ex3548 EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Configure a global association list guest-management Configure a guest management policy help Description of the interactive help system host Enter the configuration context of a device by specifying its hostname igmp-snoop-policy Create igmp snoop policy inline-password-encryption Store encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 L2tpv3 tunnel protocol mac MAC configuration management-policy Configure a management policy meshpoint Create a new MESHPOINT or enter MESHPOINT configuration context for one or more MESHPOINTs meshpoint-qos-policy Configure a meshpoint quality-of-service policy mint-policy Configure the global mint policy nac-list Configure a network access control list no . nsight-policy Configure a Nsight policy nx45xx NX45XX integrated services platform nx5500 NX5500 wireless controller nx65xx NX65XX integrated services platform nx75xx NX75XX wireless controller nx9000 NX9000 wireless controller passpoint-policy Configure a passpoint policy password-encryption Encrypt passwords in configuration profile Profile related commands - if no parameters are given, all profiles are selected radio-qos-policy Configure a radio quality-of-service policy radius-group Configure radius user group parameters radius-server-policy Create device onboard radius policy radius-user-pool-policy Configure Radius User Pool rename Clone configuration object replace Replace configuration object Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2 GLOBAL CONFIGURATION COMMANDS rf-domain Create a RF Domain or enter rf-domain context for one or more rf-domains rfs4000 RFS4000 wireless controller rfs6000 RFS6000 wireless controller rfs7000 RFS7000 wireless controller roaming-assist-policy Configure a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuration rtl-server-policy Configure a rtl server policy schedule-policy Configure a schedule policy self Config context of the device currently logged into sensor-policy Configure a sensor policy smart-rf-policy Configure a Smart-RF policy t5 T5 DSL switch url-filter Configure a url filter url-list Configure a URL list vx9000 VX9000 wireless controller web-filter-policy Configure a web filter policy wips-policy Configure a wips policy wlan Create a new WLAN or enter WLAN configuration context for one or more WLANs wlan-qos-policy Configure a wlan quality-of-service policy write Write running configuration to memory or terminal clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode revert Revert changes service Service Commands show Show running system information

<DEVICE>(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3 GLOBAL CONFIGURATION COMMANDS 4.1 Global Configuration Commands GLOBAL CONFIGURATION COMMANDS The following table summarizes Global Configuration mode commands:

Table 4.1 Global Config Commands Command aaa-policy aaa-tacacs-policy alias ap6521 ap6522 ap6532 ap6562 ap71xx ap7502 ap7522 ap7532 ap7562 ap7602 ap7612 ap7622 ap7632 ap7662 ap81xx ap82xx ap8432 ap8533 application Description Creates a AAA policy and enters its configuration mode. This policy enables administrators to define access control within the network. Creates a AAA-TACACS policy and enters its configuration mode. This policy provides access control to network devices such as routers, network access servers, and other computing devices through centralized servers. Creates various types of aliases, such as network, VLAN, network-

group, network-service, encrypted-string, hashed -string, etc. Adds an AP6521 to the network Adds an AP6522 to the network Adds an AP6532 to the network Adds an AP6562 to the network Adds an AP7161 to the network Adds an AP7502 to the network Adds an AP7522 to the network Adds an AP7532 to the network Adds an AP7562 to the network Adds an AP7602 to the network Adds an AP7612 to the network Adds an AP7622 to the network Adds an AP7632 to the network Adds an AP7662 to the network Adds an AP81XX to the network Adds an AP82XX to the network Adds an AP8432 to the network Adds an AP8533 to the network Creates an application definition and enters its configuration mode. This command allows you to create a customized application detection definition. application-group Creates an application group and enters its configuration mode application-policy Creates an application policy and enters its configuration mode. This policy defines the actions executed on recognized HTTP (e.g. Facebook), enterprise (e.g. Webex) and peer-to-peer (e.g. gaming) applications or application-categories. Reference page 4-9 page 4-20 page 4-11 page 4-22 page 4-23 page 4-24 page 4-25 page 4-26 page 4-27 page 4-28 page 4-29 page 4-30 page 4-31 page 4-32 page 4-33 page 4-34 page 4-35 page 4-36 page 4-37 page 4-38 page 4-39 page 4-40 page 4-48 page 4-55 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4 GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Command association-acl-

policy auto-provisioning-

policy bgp bonjour-gw-

discovery-policy bonjour-gw-

forwarding-policy bonjour-gw-

query-forwarding-

policy captive portal clear client-identity Description Creates an association ACL policy and enters its configuration mode. This policy restricts access by specifying a client MAC address or range of addresses to either include or exclude from WLAN connectivity. Creates an auto provisioning policy and enters its configuration mode. This policy defines the process by which an access point discovers controllers and associates with it. Configures Border Gateway Protocol (BGP) settings Creates a Bonjour GW Discovery policy and enters its configuration mode. This policy configures the VLANs on which Bonjour services are located. Configures a Bonjour GW Forwarding policy and enters its configuration mode. This policy enables the discovery of services on VLANs not visible to the device running the Bonjour Gateway. Creates a Bonjour GW Query Forwarding policy and enters its configuration mode. This policy enables Bonjour query forwarding across multiple VLANs. Creates a captive portal and enters its configuration mode Clears the event history Creates a client identity definition and enters its configuration mode. This feature enables client identification through DHCP device fingerprinting. Creates a new client identity group and enters its configuration mode client-identity-

group clone crypto-cmp-policy Creates a crypto Certificate Management Protocol (CMP) policy and Clones a specified configuration object customize database-client-

policy database-policy device device-

categorization enters its configuration mode. CMP is an Internet protocol designed to obtain and manage digital certificates in a Public Key Infrastructure

(PKI) network. Customizes the CLI command summary output Creates a database client policy and enters its configuration mode. The database client policy configures the IP address or hostname of the VX9000 hosting the captive-portal/NSight database. Use this option when deploying a split NSight/EGuest deployment. Creates a database policy and enters its configuration mode. This policy enables the database, and also configures the database replica set. Specifies configuration on multiple devices Creates a device categorization list and enters its configuration mode. The list categorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network. Reference page 4-78 page 4-79 page 4-81 page 4-84 page 4-90 page 4-92 page 4-93 page 4-146 page 4-147 page 4-156 page 4-164 page 4-165 page 4-166 page 4-177 page 4-184 page 4-192 page 4-194 dhcp-server-policy Creates a DHCP server policy and enters its configuration mode. This policy allows hosts on an IP network to request and be assigned IP addresses and discover information about the network. page 4-200 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5 GLOBAL CONFIGURATION COMMANDS Command dhcpv6-server-

policy dns-whitelist event-system-

policy ex3500 ex3500-

management-

policy ex3500-qos-class-

map-policy ex3500-qos-

policy-map ex3524 ex3548 firewall-policy global-association-

list guest-

management host inline-password-

encryption ip ipv6 ipv6-router-

advertisement-

policy l2tpv3 Table 4.1 Global Config Commands Description Creates a DHCPv6 server policy and enters its configuration mode. This policy configures hosts with IPv6 addresses, IP prefixes and other configuration attributes required on an IPv6 network. Creates a DNS whitelist and enters its configuration mode. A DNS whitelist is used with a captive portal to provide access services to requesting wireless clients. Creates an Event system policy and enters its configuration mode. This policy enables administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Creates an EX3500 time range list and enters its configuration mode Creates an EX3500 management policy and enters its configuration mode. This policy controls access to the EX3500 switch from management stations using SNMP. Creates an EX3500 QoS class map policy and enters its configuration mode. The QoS policy map assigns priority to mission critical EX3500 switch data traffic, prevent EX3500 switch bandwidth congestion, and prevent packet drops. Creates an EX3500 QoS policy map and enters its configuration mode. This policy defines rules that filter traffic exchanged between the EX3500 switch and its connected devices. Adds a EX3524 switch to the network Adds a EX3548 switch to the network Creates a firewall policy and enters its configuration mode. This policy configures safe guards against denial of service (DoS) attacks and packet storms. It also configures firewall parameters, such as logging, application layer gateway, TCP protocol checks, state flow checks, etc. Creates a global list of client MAC addresses Creates a guest management policy and enters its configuration mode. This policy redirects guest users to a registration portal, upon association to a captive portal Service Set Identifier (SSID). Sets the system's network name Stores the encryption key in the startup configuration file Creates a IP access control list (ACL) and/or a Simple Network Management Protocol (SNMP) ACL, and enters its configuration mode Creates a IPv6 ACL and enters its configuration mode Creates an IPv6 router advertisement (RA) policy and enters its configuration mode Creates Layer 2 Tunneling Protocol Version 3 (L2TPV3) tunnel policy and enters its configuration mode. This policy defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Reference page 4-201 page 4-203 page 4-209 page 4-227 page 4-233 page 4-254 page 4-262 page 4-277 page 4-279 page 4-280 page 4-282 page 4-286 page 4-297 page 4-298 page 4-299 page 4-301 page 4-302 page 4-320 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 6 Command mac management-

policy meshpoint meshpoint-qos-

policy mint-policy nac-list no nsight-policy passpoint-policy password-

encryption profile radio-qos-policy radius-group radius-server-

policy radius-user-pool-

policy rename replace rf-domain rfs4000 rfs6000 nx5500 nx75xx nx9000 roaming-assist-

policy role-policy route-map routing-policy rtl-server-policy schedule-policy GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Description Configures MAC access lists (goes to the MAC ACL mode) Creates a management policy and enters its configuration context. This policy configures services that run on a device, such as welcome messages, banners, etc. Creates a meshpoint and enters its configuration mode Creates a meshpoint quality of service (QoS) policy and enters its configuration mode Creates a MiNT security policy and enters its configuration mode Creates a network ACL and enters its configuration mode Negates a command or sets its default Creates an NSight policy and enters its configuration mode Creates a new passpoint policy and enters its configuration mode Enables password encryption Creates a device profile and enters its configuration mode Creates a radio qos policy and enters its configuration mode Creates a RADIUS group and enters its configuration mode Creates a RADIUS server policy and enters its configuration mode Reference page 4-322 page 4-323 page 4-325 page 4-327 page 4-328 page 4-329 page 4-335 page 4-339 page 4-350 page 4-352 page 4-353 page 4-357 page 4-358 page 4-359 Creates a RADIUS user pool policy and enters its configuration mode page 4-361 Renames and existing top-level object (TLO) Selects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC address Creates an RF Domain and enters its configuration mode Adds an RFS4000 to the network Adds an RFS6000 to the network Adds an NX5500 to the network Adds an NX75XX to the network Adds a NX9500 or NX9510 to the network Configures a roaming assist policy and enters its configuration mode. This policy enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc. Creates a role policy and enters its configuration mode Creates a dynamic BGP route map and enters its configuration mode Creates a routing policy and enters its configuration mode Creates an RTL server policy and enters its configuration mode. The RTL server policy provides the exact location (URL) at which the Euclid server can be reached. Creates a schedule policy and enters its configuration mode page 4-362 page 4-364 page 4-366 page 4-404 page 4-403 page 4-405 page 4-406 page 4-407 page 4-408 page 4-410 page 4-411 page 4-412 page 4-413 page 4-419 4 - 7 Access Point, Wireless Controller and Service Platform CLI Reference Guide GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Command self sensor-policy smart-rf-policy t5 web-filter-policy wips-policy wlan wlan-qos-policy url-filter url-list vx9000 Description Displays a logged devices configuration context Creates a sensor policy and enters its configuration mode Creates a Smart RF policy and enters its configuration mode Configures a t5 wireless controller. This command is applicable only on the RFS4000, RFS6000, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, and VX9000 platforms. Creates a Web Filtering policy and enters its configuration mode Creates a WIPS policy and enters its configuration mode Creates a Wireless Local Area Network (WLAN) and enters its configuration mode Creates a WLAN QoS policy and enters its configuration mode Creates an URL filter and enters its configuration mode. URL filtering is a licensed feature. Creates an URL list and enters its configuration mode. Configures a Virtual WLAN Controller (V-WLC) in a virtual machine

(VM) environment Reference page 4-426 page 4-427 page 4-436 page 4-438 page 4-440 page 4-451 page 4-452 page 4-549 page 4-551 page 4-565 page 4-571 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 8 GLOBAL CONFIGURATION COMMANDS 4.1.1 aaa-policy Global Configuration Commands Configures an Authentication, Accounting, and Authorization (AAA) policy. Network administrators can use an AAA policy to define access control within the network. A controller, service platform, or access point can interoperate with external RADIUS and LDAP servers

(AAA Servers) to provide an additional user database and authentication resource. Each WLAN can maintain its own unique AAA configuration. Up to six servers can be configured for providing AAA services. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aaa-policy <AAA-POLICY-NAME>

Parameters aaa-policy <AAA-POLICY-NAME>

<AAA-POLICY-NAME>

Specify the AAA policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#aaa-policy test rfs6000-81742D(config-aaa-policy-test)#?

AAA Policy Mode commands:

accounting Configure accounting parameters attribute Configure RADIUS attributes in access and accounting requests authentication Configure authentication parameters health-check Configure server health-check parameters mac-address-format Configure the format in which the MAC address must be filled in the Radius-Request frames no Negate a command or set its defaults proxy-attribute Configure radius attribute behavior when proxying through controller or rf-domain-manager server-pooling-mode Configure the method of selecting a server from the pool of configured AAA servers use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-aaa-policy-test)#

Related Commands no Removes an existing AAA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 9 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the AAA policy commands, see Chapter 8, AAA-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 10 GLOBAL CONFIGURATION COMMANDS 4.1.2 alias Global Configuration Commands Configures the following types of aliases: network, VLAN, host, string, network-service, etc. Aliases are objects having a unique name and content that is determined by the alias type (network, VLAN, and network-service). A typical large enterprize network consists of multiple sites (RF Domains) having similar configuration parameters with few elements that vary, such as networks or network ranges, hosts having different IP addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a configuration that is easier to understand and maintain. Multiple instances of an alias (same type and same name) can be defined at any of the following levels:

global, RF Domain, profile, or device. An alias defined globally functions as a top-level-object (TLO). An alias defined on a device is applicable to that device only. An alias defined on a profile applies to every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices within that domain. Aliases defined at any given level can be overridden at any of the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. The different aliases types supported are:

address-range alias Maps a user-friendly name to a range of IP addresses. An address-range alias can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. host alias Maps a user-friendly name to a specific host (identified by its IP address. For example, 192.168.10.23). A host alias can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. network alias Maps a user-friendly name to a network. A network alias can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. network-group alias Maps a user-friendly name to a single or a range of addresses of devices, hosts, and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20. A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries, and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 11 GLOBAL CONFIGURATION COMMANDS A network-group alias can be used in IP firewall rules to substitute hosts, subnets, and IP address ranges. network-service alias Maps a user-friendly name to service protocols and ports. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network-service alias. When used with an ACL, the network-service alias defines the service-

specific components of the ACL rule. Overrides can be applied to the service alias, at the device level, without modifying the ACL. Application of overrides to the service alias allows an ACL to be used across sites. Use a network-service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. number alias Maps a user-friendly name to a number vlan alias Maps a user-friendly name to a VLAN ID. A VLAN alias can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias. At the remote deployment location, the network is functional with a VLAN ID of 26, but utilizes the name defined at the centrally managed network. A new VLAN need not be created specifically for the remote deployment. string alias Maps a user-friendly name to a specific string (for example, RF Domain name). A string alias can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. encrypted-string alias Maps a user-friendly name to a string value. The string value of this alias is encrypted when "password-encryption" is enabled. Encrypted-string aliases can be used for string configuration parameters that are encrypted by the "password-encryption" feature. hashed-string alias Maps a user-friendly name to a hashed-string value. Hashed-string aliases can be used for string configuration parameters that are hashed, such as passwords. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|

network-service|number|string|vlan]

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

alias host <HOST-ALIAS-NAME> <HOST-IP>

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 12 GLOBAL CONFIGURATION COMMANDS alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network

<NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|

tftp|www)}

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias string <STRING-ALIAS-NAME> <LINE>

alias vlan <VLAN-ALIAS-NAME> <1-4094>

Parameters alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

address-range

<ADDRESS-RANGE-

ALIAS-NAME>

<STARTING-IP>

to <ENDING-IP>

Creates an address-range alias, defining a range of IP addresses

<ADDRESS-RANGE-ALIAS-NAME> Specify the address-range alias name. Alias name should begin with $. Associates a range of IP addresses with this address-range alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

encrypted-string

<ENCRYPTED-

STRING-ALIAS-

NAME>

[0|2] <LINE>

Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.

<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step

[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:

nx9500-6C8809(config)#show running-config

!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//

!

--More--

nx9500-6C8809 In the above show > running-config output, the 2 displayed before the encrypted-

string alias value indicates that the displayed text is encrypted and not a clear text. Cotnd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 13 GLOBAL CONFIGURATION COMMANDS However, if password-encryption is disabled the clear text is displayed as is:

nx9500-6C8809(config)#show running-config

!...............................

!

alias encrypted-string $enString 0 test11223344

!

--More--

nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string

<HASHED-STRING-

ALIAS-NAME>

<LINE>

Creates an alias for a hashed string. Use this alias for configuration values that are hashed strings, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see .

<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config

!

alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv

!

alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ec fc75 0--More--

nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>

host

<HOST-ALIAS-NAME>

<HOST-IP>

Creates a host alias, defining a single network host

<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias. For example, alias host

$HOST 1.1.1.100. In this example, the host alias name is: $HOST and the host IP address it is mapped to is: 1.1.1.100.

<HOST-IP> Specify the network hosts IP address. network

<NETWORK-ALIAS-

NAME>

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

Creates a network alias, defining a single network address

<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Associates a single network with this network alias. For example, alias network $NET 1.1.1.0/24. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24.

<NETWORK-ADDRESS/MASK> Specify the networks address and mask.

<NETWORK-

ADDRESS/MASK>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 14 GLOBAL CONFIGURATION COMMANDS alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|

network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

network

<NETWORK-GROUP-

ALIAS-NAME>

address-range

<STARTING-IP>

to <ENDING-IP>

{<STARTING-IP>

to <ENDING-IP>}

host <HOST-IP>

{<HOST-IP>}

Creates a network-group alias

<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-

group alias elements at the device or profile level. After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Associates a range of IP addresses with this network-group alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.

<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias

<HOST-IP> Specify the hosts IP address.

<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. network <NETWORK-

ADDRESS/MASK>

{<NETWORK-

ADDRESS/MASK>}

Associates a single or multiple networks with this network-group alias

<NETWORK-ADDRESS/MASK> Specify the networks address and mask.

<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|

eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|

https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|

tftp|www)}

alias network-service

<NETWORK-

SERVICE-ALIAS-

NAME>

proto [<0-254>|

<WORD>|eigrp|gre|

igmp|igp|ospf|vrrp]

Configures an alias that specifies available network services and the corresponding source and destination software ports

<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level. Use one of the following options to associate an Internet protocol with this network-

service alias:

<0-254> Identifies the protocol by its number. Specify the protocol number from 0

- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.

<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 15

{(<1-65535>|

<WORD>|

bgp|dns|ftp|ftp-data|

gopher|https|ldap|

nntp|ntp|pop3|proto|

sip|smtp|sourceport

[<1-65535>|

<WORD>]|ssh|telnet|

tftp|www)}

GLOBAL CONFIGURATION COMMANDS gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.

<1-65535> Optional. Configures a destination port number from 1 - 65535

<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port

(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port

(21) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port

(123) POP3 Optional. Configures the default Post Office Protocol (POP3) services port

(110) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port

(5060) smtp Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25) sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.

<1-65535> Specify the source port from 1 - 65535.

<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 16 GLOBAL CONFIGURATION COMMANDS alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number

<NUMBER-ALIAS-

NAME> <0-

4294967295>

Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, alias number $NUMBER 100 The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100.

<NUMBER-ALIAS-NAME> Specify the number alias name.

<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Alias name should begin with $. alias string <STRING-ALIAS-NAME> <LINE>

alias string

<STRING-ALIAS-

NAME>

Creates a string alias identified by the <STRING-ALIAS-NAME> keyword

<STRING-ALIAS-NAME> Specify the string alias name.

<LINE> Specify the string value associated with the specified <STRING-ALIAS-

NAME> keyword. String aliases map a name to an arbitrary string value. For example, alias string

$DOMAIN test.example_company.com. The string alias name is: $DOMAIN The value assigned is: test.example_company.com (a domain name) The value referenced by alias $DOMAIN, wherever used, is test.example_company.com. Alias name should begin with $. You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see allow-service. alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan

<VLAN-ALIAS-NAME>

<1-4094>

Creates a VLAN alias identified by the <VLAN-ALIAS-NAME> keyword

<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID

<1-4094> Specify the VLAN ID from 1 - 4094. Example rfs4000-229D58(config)##alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 rfs4000-229D58(config)#alias network $NetworkAlias 192.168.13.0/24 rfs4000-229D58(config)#alias host $HostAlias 192.168.13.100 rfs4000-229D58(config)#alias vlan $VlanAlias 1 rfs4000-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.16 8.13.10 rfs4000-229D58(config)#alias network-service $NetServAlias proto igmp Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 17 GLOBAL CONFIGURATION COMMANDS rfs4000-229D58(config)#show running-config | include alias alias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20 to 192.168.13.25 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10 alias network-service $NetServAlias proto igmp alias vlan $VlanAlias 1 rfs4000-229D58(config)#

nx9500-6C8809(config)#alias number $NUMBER 100 nx9500-6C8809(config)#show context include-factory | include alias alias string $DOMAIN test.examplecompany.com alias string $DOMAIN2 test.example_company.com alias number $NUMBER 100 alias string $SN B4C7996C8809 nx9500-6C8809(config)#

The following examples show encrypted-string alias configuration:

nx9500-6C8809(config)#alias encrypted-string $WRITE 0 private nx9500-6C8809(config)#alias encrypted-string $READ 0 public nx9500-6C8809(config)#show context | include alias alias vlan $BLR-01 1 alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 0 public alias encrypted-string $WRITE 0 private nx9500-6C8809(config)#

The following example shows the encrypted-string aliases, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rw nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ro nx9500-6C8809(config-management-policy-default)#show context management-policy default no telnet no http server https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/

QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/

QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 nx9500-6C8809(config-management-policy-default)#

The following example shows hashed-string alias configuration:

nx9500-6C8809(config)#alias hashed-string $PriMode Test12345 nx9500-6C8809(config)#show context | include alias alias vlan $BLR-01 1 alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 0 public alias encrypted-string $WRITE 0 private alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 18 GLOBAL CONFIGURATION COMMANDS The following example shows the hashed-string alias, configured in the previous example, used in the management-policy:

nx9500-6C8809(config-management-policy-default)#show context management-policy default https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/

QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/

QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriMode nx9500-6C8809(config-management-policy-default)#

Related Commands no Removes an existing network, VLAN, service, string, etc. alias Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 19 GLOBAL CONFIGURATION COMMANDS 4.1.3 aaa-tacacs-policy Global Configuration Commands Configures AAA Terminal Access Controller Access-Control System+ (TACACS) policy. TACACS+ is a protocol created by CISCO Systems which provides access control to network devices such as routers, network access servers and other networked computing devices through one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers. TACACS controls user access to devices and network resources while providing separate accounting, authentication, and authorization services. Some of the services provided by TACACS are:

Authorizing each command with the TACACS+ server before execution. Accounting each sessions logon and log off events. Authenticating each user with the TACACS+ server before enabling access to network resources. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>

Parameters aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>

<AAA-TACACS-POLICY-

NAME>

Specify the AAA-TACACS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#aaa-tacacs-policy testpolicy rfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#?

AAA TACACS Policy Mode commands:

accounting Configure accounting parameters authentication Configure authentication parameters authorization Configure authorization parameters no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#

Related Commands no Removes an existing AAA TACACS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 20 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the AAA-TACACS policy commands, see Chapter 25, AAA-TACACS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 21 GLOBAL CONFIGURATION COMMANDS 4.1.4 ap6521 Global Configuration Commands Adds an AP6521 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP6521 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6521 <MAC>

Parameters ap6521 <MAC>

<MAC>

Example Specify the AP6521s MAC address. nx9500-6C8809(config)#ap6521 FC-0A-81-42-93-6C nx9500-6C8809(config-device-FC-0A-81-42-93-6C)#show context ap6521 FC-0A-81-42-93-6C use profile default-ap6521 use rf-domain default hostname ap6521-42936C nx9500-6C8809(config-device-FC-0A-81-42-93-6C)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-

99-6C-88-09

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP6521 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 22 GLOBAL CONFIGURATION COMMANDS 4.1.5 ap6522 Global Configuration Commands Adds an AP6522 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP6522 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6522 <MAC>

Parameters ap6522 <MAC>

<MAC>

Example Specify the AP6522s MAC address. nx9500-6C8809(config)#ap6522 B4-C7-99-58-72-58 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show context ap6522 B4-C7-99-58-72-58 use profile default-ap6522 use rf-domain default hostname ap6522-587258 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-

99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-

88-09

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP6522 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 23 GLOBAL CONFIGURATION COMMANDS 4.1.6 ap6532 Global Configuration Commands Adds an AP6532 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP6532 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6532 <MAC>

Parameters ap6532 <MAC>

<MAC>

Example Specify the AP6532s MAC address. nx9500-6C8809(config)#ap6532 00-23-68-31-16-59 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show context ap6532 00-23-68-31-16-59 use profile default-ap6532 use rf-domain default hostname ap6532-311659 nx9500-6C8809(config-device-00-23-68-31-16-59)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-

99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-

88-09 3 ap6532-311659 00-23-68-31-16-59 default-ap6532 default B4-C7-99-6C-

88-09

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP6532 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 24 GLOBAL CONFIGURATION COMMANDS 4.1.7 ap6562 Global Configuration Commands Adds an AP6562 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP6562 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6562 <MAC>

Parameters ap6562 <MAC>

<MAC>

Example Specify the AP6562s MAC address. nx9500-6C8809(config)#ap6562 00-23-09-0E-12-60 nx9500-6C8809(config-device-00-23-09-0E-12-60)#show context ap6562 00-23-09-0E-12-60 use profile default-ap6562 use rf-domain default hostname ap6562-0E1260 nx9500-6C8809(config-device-00-23-09-0E-12-60)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-

99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-

88-09 3 ap6532-311659 00-23-68-31-16-59 default-ap6532 default B4-C7-99-6C-

88-09 4 ap6562-0E1260 00-23-09-0E-12-60 default-ap6562 default B4-C7-99-

6C-88-09

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP6562 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 25 GLOBAL CONFIGURATION COMMANDS 4.1.8 ap71xx Global Configuration Commands Adds an AP7161 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7161 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap71xx <MAC>

Parameters ap71xx <MAC>

<MAC>

Example Specify the AP7161s MAC address. nx9500-6C8809(config)#ap71xx 00-23-68-11-E6-C4 nx9500-6C8809(config-device-00-23-68-11-E6-C4)#show context ap71xx 00-23-68-11-E6-C4 use profile default-ap71xx use rf-domain TechPubs hostname ap71xx-11E6C4 no staging-config-learnt ip default-gateway 192.168.13.2 interface vlan1 ip address 192.168.13.23/24 use auto-provisioning-policy TecPubs no auto-learn staging-config adopter-auto-provisioning-policy-lookup evaluate-always nx9500-6C8809(config-device-00-23-68-11-E6-C4)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap71xx-11E6C4 00-23-68-11-E6-C4 default-ap71xx TechPubs un-adopted 2 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs B4-C7-99-

6C-88-09 3 ap7131-9C63D4 00-23-68-9C-63-D4 default-ap71xx default un-adopted 4 t5-ED7C6C B4-C7-99-ED-7C-6C default-t5 TechPubs B4-C7-99-

6C-88-09 5 rfs4000-880DA7 00-23-68-88-0D-A7 default-rfs4000 TechPubs B4-C7-99-

6C-88-09 6 ap7131-99BB7C 00-23-68-99-BB-7C default-ap71xx TechPubs B4-C7-99-

6C-88-09

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP7161 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 26 GLOBAL CONFIGURATION COMMANDS 4.1.9 ap7502 Global Configuration Commands Adds an AP7502 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7502 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7502 <MAC>

Parameters ap7502 <MAC>

<MAC>

Example Specify the AP7502s MAC address. rfs6000-81742D(config)#ap7502 00-23-68-99-BF-A8 rfs6000-81742D(config-device-00-23-68-99-BF-A8)#

Related Commands no Removes an AP7502 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 27 GLOBAL CONFIGURATION COMMANDS 4.1.10 ap7522 Global Configuration Commands Adds an AP7522 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7522 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7522 <MAC>

Parameters ap7522 <MAC>

<MAC>

Example Specify the AP7522s MAC address. rfs6000-81742D(config)#ap7522 00-23-09-0E-12-63 rfs6000-81742D(config-device-00-23-09-0E-12-63)#

Related Commands no Removes an AP7522 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 28 GLOBAL CONFIGURATION COMMANDS 4.1.11 ap7532 Global Configuration Commands Adds an AP7532 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7532 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7532 <MAC>

Parameters ap7532 <MAC>

<MAC>

Example Specify the AP7532s MAC address. rfs6000-81742D(config)#ap7532 00-23-09-0E-12-71 rfs6000-81742D(config-device-00-23-09-0E-12-71)#

Related Commands no Removes an AP7532 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 29 GLOBAL CONFIGURATION COMMANDS 4.1.12 ap7562 Global Configuration Commands Adds an AP7562 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7562 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7562 <MAC>

Parameters ap7562 <MAC>

<MAC>

Example Specify the AP7562s MAC address. rfs6000-81742D(config)#ap7562 84-24-8D-80-C2-AC rfs6000-81742D(config-device-84-24-8D-80-C2-AC)#

Related Commands no Removes an AP7562 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 30 GLOBAL CONFIGURATION COMMANDS 4.1.13 ap7602 Global Configuration Commands Adds an AP7602 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7602 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7602 <MAC>

Parameters ap7602 <MAC>

<MAC>

Example Specify the AP7602s MAC address. nx9500-6C8809(config)#ap7602 11-2C-3b-01-aa-23 nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#show context ap7602 11-2C-3B-01-AA-23 use profile default-ap7602 use rf-domain default hostname ap7602-01AA23 nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#

Related Commands no Removes an AP7602 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 31 GLOBAL CONFIGURATION COMMANDS 4.1.14 ap7612 Global Configuration Commands Adds an AP7612 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7612 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7612 <MAC>

Parameters ap7612 <MAC>

<MAC>

Example Specify the AP7612s MAC address. nx9500-6C8809(config)#ap7612 10-1c-AB-11-0E-20 nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#show context ap7612 10-1C-AB-11-0E-20 use profile default-ap7612 use rf-domain default hostname ap7612-110E20 nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#

Related Commands no Removes an AP7612 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 32 GLOBAL CONFIGURATION COMMANDS 4.1.15 ap7622 Global Configuration Commands Adds an AP7622 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7622 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7622 <MAC>

Parameters ap7622 <MAC>

<MAC>

Example Specify the AP7622s MAC address. nx9500-6C8809(config-device-01-11-CD-21-0B-13)#show con ap7622 01-11-CD-21-0B-13 use profile default-ap7622 use rf-domain default hostname ap7622-210B13 nx9500-6C8809(config-device-01-11-CD-21-0B-13)#

Related Commands no Removes an AP7622 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 33 GLOBAL CONFIGURATION COMMANDS 4.1.16 ap7632 Global Configuration Commands Adds an AP7632 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7632 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7632 <MAC>

Parameters ap7632 <MAC>

<MAC>

Example Specify the AP7632s MAC address. nx9500-6C8809(config)#ap7632 23-12-A1-F0-12-02 nx9500-6C8809(config-device-23-12-A1-F0-12-02)#show context ap7632 23-12-A1-F0-12-02 use profile default-ap7632 use rf-domain default hostname ap7632-F01202 nx9500-6C8809(config-device-23-12-A1-F0-12-02)#

Related Commands no Removes an AP7632 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 34 GLOBAL CONFIGURATION COMMANDS 4.1.17 ap7662 Global Configuration Commands Adds an AP7662 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP7662 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7662 <MAC>

Parameters ap7662 <MAC>

<MAC>

Example Specify the AP7662s MAC address. nx9500-6C8809(config)#ap7662 20-12-bd-4C-31-5F nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#show context ap7662 20-12-BD-4C-31-5F use profile default-ap7662 use rf-domain default hostname ap7662-4C315F nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#

Related Commands no Removes an AP7662 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 35 GLOBAL CONFIGURATION COMMANDS 4.1.18 ap81xx Global Configuration Commands Adds an AP81XX series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap81xx <MAC>

Parameters ap81xx <MAC>

<MAC>

Example Specify the AP81XXs MAC address. rfs6000-81742D#ap81xx B4-C7-99-71-17-28 rfs6000-81742D(config-device-B4-C7-99-71-17-28)#show context ap8132 B4-C7-99-71-17-28 use profile default-ap81xx use rf-domain default hostname ap8132-711728 license AAP DEFAULT-LICENSE rfs6000-81742D(config-device-B4-C7-99-71-17-28)#

rfs6000-81742D(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx default 00-15-70-

81-74-2D

--------------------------------------------------------------------------------

-------

rfs6000-81742D(config)#

Related Commands no Removes an AP81XX from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 36 GLOBAL CONFIGURATION COMMANDS 4.1.19 ap82xx Global Configuration Commands Adds an AP82XX series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap82xx <MAC>

Parameters ap82xx <MAC>

<MAC>

Example Specify the AP82XXs MAC address. rfs6000-81742D(config-device-00-23-68-14-77-48) rfs6000-81742D(config-device-00-23-68-14-77-48)#show context ap82xx 00-23-68-14-77-48 use profile default-ap82xx use rf-domain default hostname ap8232-147748 rfs6000-81742D(config-device-00-23-68-14-77-48)#

rfs6000-81742D(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap6511-08456A 5C-0E-8B-08-45-6A default-ap6511 default un-adopted 2 ap8232-147748 00-23-68-14-77-48 default-ap82xx default un-adopted

--------------------------------------------------------------------------------

-------

rfs6000-81742D(config)#

Related Commands no Removes an AP82XX from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 37 GLOBAL CONFIGURATION COMMANDS 4.1.20 ap8432 Global Configuration Commands Adds an AP8432 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:

Access Point AP8432 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap8432 <MAC>

Parameters ap8432 <MAC>

<MAC>

Example Specify the AP8432s MAC address. nx9500-6C8809(config)#ap8432 84-24-8D-80-C2-AC nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#show context ap8432 84-24-8D-80-C2-AC use profile default-ap8432 use rf-domain default hostname ap8432-80C2AC nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap8432-80C2AC 84-24-8D-80-C2-AC default-ap8432 default un-adopted

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP8432 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 38 GLOBAL CONFIGURATION COMMANDS 4.1.21 ap8533 Global Configuration Commands Adds an AP8533 series to the network. If a profile for the AP is not available, a new profile is created. Access Point AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap8533 <MAC>

Parameters ap8533 <MAC>

<MAC>

Example Specify the AP8533s MAC address. nx9500-6C8809(config)#ap8533 B4-C7-99-74-B4-5C) nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#show context ap8533 B4-C7-99-74-B4-5C use profile default-ap8533 use rf-domain default hostname ap8533-74B45C nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap8533-74B45C B4-C7-99-74-B4-5C default-ap8533 default un-adopted

--------------------------------------------------------------------------------

-------

nx9500-6C8809(config)#

Related Commands no Removes an AP8533 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 39 GLOBAL CONFIGURATION COMMANDS 4.1.22 application Global Configuration Commands The following table lists the commands that enable you to enter the Application definition configuration mode:

Table 4.2 Application-Policy Config Command Description Creates a new application definition and enters its configuration mode. This command allows you to create a customized application detection definition. Summarizes application definition configuration mode commands Reference page 4-41 page 4-42 Command application application-

config-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 40 GLOBAL CONFIGURATION COMMANDS 4.1.22.1 application application Creates a new application definition and enters its configuration mode Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application <APPLICATION-NAME>

Parameters application <APPLICATION-NAME>

application

<APPLICATION-

NAME>

Creates a new application definition and enters its configuration mode

<APPLICATION-NAME> Specify a name of the new application definition. It is created if not already existing in the system. Example nx9500-6C8809(config)#application Bing nx9500-6C8809(config-application-Bing)#?

Application Mode commands:

app-category Set application category (default is custom) description Add application description https Secure HTTP no Negate a command or set its defaults use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-application-Bing)#

Related Commands no Deletes an existing application definition Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 41 GLOBAL CONFIGURATION COMMANDS 4.1.22.2 application-config-mode commands application The following table summarizes Application definition configuration mode commands:

Table 4.3 Application- Config-Mode Commands Command app-category description https use no Description Configures the category for this application definition Configures a description for this application definition Configures the HTTPS common-name attribute value for this application categorys server certificate. Applicable only to applications using HTTPS protocol. Associates a network-service alias or a URL list with this application definition. Applicable for applications using protocols other than HTTPS. Removes or resets this application definitions configured settings Reference page 4-43 page 4-44 page 4-45 page 4-46 page 4-47 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 42 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.1 app-category application-config-mode commands Configures the category for this application definition Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax app-category <APP-CATEGORY-NAME>

Parameters app-category <APP-CATEGORY-NAME>

app-category

<APP-CATEGORY-

NAME>

Select the category best suited for this application definition. There are twenty three categories. These are: business, conference, custom, database, filetransfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\

networking, standard, streaming, tunnel, video, voip, and Web. The default setting is custom. Use this option to categorize your internal custom applications, so that they do not appear as unknown traffic. Example nx9500-6C8809(config-application-Bing)#app-category [TAB]

business conference custom database filetransfer gaming generic im mail mobile network\ management other p2p remote_control sharehosting social\ networking streaming tunnel voip web nx9500-6C8809(config-application-Bing)#

nx9500-6C8809(config-application-Bing)#app-category streaming nx9500-6C8809(config-application-Bing)#show context application Bing app-category streaming nx9500-6C8809(config-application-Bing)#

Related Commands no Resets application category to default (custom) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 43 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.2 description application-config-mode commands Configures a description for this application definition Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>

Parameters description <WORD>

description

<WORD>

Configures a description for this application

<WORD> Specify a description not exceeding 80 characters in length. Enter the descriptive text within double quotes. Example nx9500-6C8809(config-application-Bing)#description "Bing is Microsoft's Web search engine"

nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's Web search engine"

app-category streaming nx9500-6C8809(config-application-Bing)#

Related Commands no Removes this description configured for this application Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 44 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.3 https application-config-mode commands Configures the HTTPS parameter type, attribute type, match criteria for the HTTPS server name and 64 character maximum server name attribute used in the HTTPS server message exchange Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax https server-cert common-name [contains|ends-with] <WORD>

Parameters https server-cert common-name

[contains|ends-with]

<WORD>

https server-cert common-name [contains|ends-with] <WORD>

Configures the HTTPS parameter type as server certificate Configures the HTTPS attribute match criteria as common name. This is the only option applicable when the HTTPS parameter type is set to server-cert. Use one of the following options to provide the common-name attribute value used as the match criteria:

contains Filters applications having common-name attributes containing the string specified here ends-with Filters applications ending with the string specified here

<WORD> Specify the string to match (should not exceed 64 characters). Example nx9500-6C8809(config-application-Bing)#https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"

app-category streaming https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#

Related Commands no Removes the HTTPS common-name attribute value configured with this application category Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 45 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.4 use application-config-mode commands Associates a network-service alias or a URL list with this application definition For applications using protocols other than HTTPS, use this command to define the protocols, ports, and/or URL host name to match. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]

Parameters use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]

use network-service

<NETWORK-

SERVICE-ALIAS-

NAME>

url-list

<URL-LIST-NAME>

Configures this application definition to use a network-service alias or a URL list Associates a network-service alias with this application definition

<NETWORK-SERVICE-ALIAS-NAME> Specify the network-service alias name (should be existing and configured). The network-service alias should specify the protocols and ports to match. Associates a URL list with this application definition. URL lists are utilized for whitelisting and blacklisting Web application URLs from being launched and consuming bandwidth within the WiNG managed network.

<URL-LIST-NAME> Specify the URL list name (should be existing and configured). The URL list should specify the HTTP URL host names to match. Example nx9500-6C8809(config-application-Bing)#use url-list Bing nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"

app-category streaming use url-list Bing https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#

Related Commands no Removes the network-service alias or the URL list associated with this application definition Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 46 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.5 no application-config-mode commands Removes or resets this application definitions configured settings Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [app-category|description|https|use]

no [app-category|description]

no https server-cert common-name [contains|ends-with] <WORD>

no use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this application definitions configured settings based on the parameters passed Example The following example displays the application definition Bing parameters before the no commands are executed:

nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"

app-category streaming use url-list Bing https server-cert common-name exact bing.com nx9500-6C8809config-application-Bing)#

nx9500-6C8809(config-application-Bing)#no description nx9500-6C8809(config-application-Bing)#no https server-cert common-name exact bing.com The following example displays the application definition Bing parameters after the no commands are executed:

nx9500-6C8809(config-application-Bing)#show context application Bing app-category streaming use url-list Bing nx9500-6C8809(config-application-Bing)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 47 GLOBAL CONFIGURATION COMMANDS 4.1.23 application-group Global Configuration Commands The following table lists the commands that enable you to create a new application group and enter its configuration mode:

Table 4.4 Application-Group Config Command Description Command application-group Creates a new application group and enters its configuration mode application-group-

mode commands Summarizes application group configuration mode commands Reference page 4-49 page 4-50 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 48 GLOBAL CONFIGURATION COMMANDS 4.1.23.1 application-group application-group An application group is a collection of system-provided and/or user-defined applications. It is a subset of the total number of supported applications. There are a total of 299 system-provided applications. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-group <APPLICATION-GROUP-NAME>

Parameters application-group <APPLICATION-GROUP-NAME>

application-group

<APPLICATION-

GROUP-NAME>

Creates an application group and enters its configuration mode

<APPLICATION-GROUP-NAME Specify the application group name. If an application group with the specified name does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#application-group amazon nx9500-6C8809(config-app-group-amazon)#?

Application Group Mode commands:

application Add application to group description Add application-group description no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-app-group-amazon)#

Related Commands no Removes an existing application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 49 GLOBAL CONFIGURATION COMMANDS 4.1.23.2 application-group-mode commands application-group The following table summarizes the application group configuration mode commands:

Table 4.5 Application-Group-Config-Mode Commands Command application description no Description Adds an application to this application group Configures a description for this application group Removes this application groups configured parameters (application and/or description) Reference page 4-51 page 4-53 page 4-54 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 50 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.1 application application-group-mode commands Adds an application to this application group. You can add a system-provided or user-defined application. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application <APPLICATION-NAME>

Parameters application <APPLICATION-NAME>

application

<APPLICATION-

NAME>

Example Configures the application to be added to this application group

<APPLICATION-NAME> Provide the application name (should be available as an option in the system). A maximum of eight (8) applications can be added to a group. If the desired application is not available as an option, use the application command to add it. To view all applications available in the system, use [TAB], as shown in the following example:

nx9500-6C8809(config-app-group-test)#application [TAB]

Display all 299 possibilities? (y or n) 1-clickshare-com 1-upload-com 1-upload-to 10upload-com

--More--

nx9500-6C8809(config-app-group-test)#

Select the desired application from the list displayed, as shown in the following examples:

nx9500-6C8809(config-app-group-amazon)#application amazon [TAB]

amazon-prime-music amazon-prime-video amazon_cloud amazon_shop nx9500-6C8809(config-app-group-amazon)#

nx9500-6C8809(config-app-group-amazon)#application amazon-prime-music nx9500-6C8809(config-app-group-amazon)#application amazon-prime-video nx9500-6C8809(config-app-group-amazon)#application amazon_cloud nx9500-6C8809(config-app-group-amazon)#application amazon_shop nx9500-6C8809(config-app-group-amazon)#show context application-group amazon application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#

Note, the system returns an error message if the application entered is not listed, as shown in the following example:

nx9500-6C8809(config-app-group-test)#application bing

% Error: application 'bing' is not defined nx9500-6C8809(config-app-group-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 51 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a specified application from this application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 52 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.2 description application-group-mode commands Configures a description for this application group Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>

Parameters description <WORD>

description

<WORD>

Configures a description for this application group that uniquely differentiates it from other existing application groups

<WORD> Provide a description not exceeding 80 characters in length. Example nx9500-6C8809(config-app-group-amazon)#description This application-group lists all Amazon applications. nx9500-6C8809(config-app-group-amazon)#show context application-group amazon description This application-group lists all Amazon applications. application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#

Related Commands no Removes the description configured for this application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 53 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.3 no application-group-mode commands Removes this application groups configured parameters (application and/or description) Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [application <APPLICATION-NAME>|description]

Parameters no [application <APPLICATION-NAME>|description]

no <PARAMETERS> Removes an application associated with this group, and removes this groups description Example The following example displays the application-group amazon configuration before the execution of no commands:

nx9500-6C8809(config-app-group-amazon)#show context application-group amazon description "This application-group lists all Amazon applications."

application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#

nx9500-6C8809(config-app-group-amazon)#no application amazon_cloud nx9500-6C8809(config-app-group-amazon)#no description The following example displays the application-group amazon configuration after the execution of no commands:

nx9500-6C8809(config-app-group-amazon)#show context application-group amazon application amazon-prime-music application amazon-prime-video application amazon_shop nx9500-6C8809(config-app-group-amazon)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 54 GLOBAL CONFIGURATION COMMANDS 4.1.24 application-policy Global Configuration Commands The following table lists the commands that enable you to enter the Application policy configuration mode:

Table 4.6 Application-Policy Config Command Description Command application-policy Creates an application policy and enters its configuration mode application-policy-

mode commands Summarizes the application policy configuration mode commands Reference page 4-56 page 4-58 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 55 GLOBAL CONFIGURATION COMMANDS 4.1.24.1 application-policy application-policy When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, social-networking). The following are the rules/actions that can be applied in an application policy:

Allow - Allow packets for a specific application or application category Deny - Deny packets for a a specific application or application category Mark - Mark packets with DSCP/8021p value for a specific application or application category Rate-limit - Rate limit packets from specific application types. For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category. Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid. Once created and configured, apply the application policy at the following levels within the network to enforce application assurance:

RADIUS CoA usage In the device/profile configuration mode, use the application-policy > radius >

<APPLICATION-POLICY-NAME> command to apply the policy to every user successfully authenticated by the RADIUS server. User role In the role-policy-user-role configuration mode, use the use > application-policy

<APPLICATION-POLICY-NAME> command to apply the policy to all users assigned to the role. WLAN In the WLAN configuration mode, use the use > application-policy <APPLICATION-

POLICY-NAME> command to apply the policy to all users accessing the WLAN. Bridge VLAN In the bridge VLAN configuration mode, use the use > application-policy

<APPLICATION-POLICY-NAME> command to apply the policy for the traffic corresponding to the bridged VLAN. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-policy <APPLICATION-POLICY-NAME>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 56 GLOBAL CONFIGURATION COMMANDS Parameters application-policy <APPLICATION-POLICY-NAME>

application-policy

<APPLICATION-

POLICY-NAME>

Specify the application policy name. If an application policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#application-policy TestAppliPolicy nx9500-6C8809(config-app-policy-TestAppliPolicy)#?

Application Policy Mode commands:

allow Allow packets deny Deny packets description Application policy description enforcement-time Configure policy enforcement based on time logging Application recognition logging mark Mark packets no Negate a command or set its defaults rate-limit Rate-limit packets clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-app-policy-TestAppliPolicy)#

Related Commands no Removes an existing application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 57 GLOBAL CONFIGURATION COMMANDS 4.1.24.2 application-policy-mode commands application-policy The following table summarizes Application policy configuration mode commands:

Table 4.7 Application- Policy-Mode Commands Command allow deny description enforcement-

time logging mark rate-limit no Description Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied Configures a brief description for this application policy that enables you to differentiate it from other application policies Configures an enforcement time period in days and hours for this application policy. The policy is enforced only during the specified time period. Enables logging of application recognition hits made by the DPI engine. It also sets the logging level. Creates a mark rule and configures the match criteria based on which packets are filtered and marked with 802.1p priority value or Differentiated Service Code Point (DSCP) code Creates a rate-limit rule and configures the match criteria based on which incoming and outgoing packets are filtered and the configured rate limits applied Removes or resets this application policys settings Reference page 4-59 page 4-62 page 4-65 page 4-66 page 4-68 page 4-70 page 4-73 page 4-76 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 58 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.1 allow application-policy-mode commands Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) allow app-category

[<APP-CATEGORY-

NAME>|all]

application

<APPLICATION-

NAME>

schedule

<SCHEDULE-

POLICY-NAME>

Creates an allow rule and configures the match criteria. The options are app-category and application. Uses application category as the match criteria

<APP-CATEGORY-NAME> Specify the application category. The options are:

antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\

networking, standard, streaming, tunnel, video, voip, and web. Each packets app-

category is matched with the value specified here. In case of a match, the system forwards the packet or else drops it. all The system forwards all packets irrespective of the application category. Uses application name as the match criteria

<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system forwards the packet. The WiNG database provides approximately 381 canned applications. In addition to these, the database also includes custom-made applications. These are application definitions created using the application command. Schedules an enforcement time for this allow rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >

enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 59 GLOBAL CONFIGURATION COMMANDS

<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:

#allow application youtube precedence 1

#deny app-category streaming precedence 2 The following configuration is incorrect:

#deny app-category streaming precedence 1

#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Example The following example shows how to view all built-in, system provided applications:

nx9500-6C8809(config-app-policy-test)#allow application [TAB]

Display all 366 possibilities? (y or n) 1-clickshare-com 1-upload-com 1-upload-to 10upload-com 123upload-pl 139pan-com 163pan-com 1clickshare-net 1fichier-com 1kxun 2channel 2gis 2shared-com 360mobile 4fastfile-com 4share-ws Dota\ 2 EA\ Origin

--More--

nx9500-6C8809(config-app-policy-test)#

The following examples show two allow rules, allowing access to all packets belonging to the application category business and the application Bing:

nx9500-6C8809(config-app-policy-Bing)#allow application Bi [TAB]

Bing BitTorrent BitTorrent_encrypted BitTorrent_plain BitTorrent_uTP BitTorrent_uTP_encrypted nx9500-6C8809(config-app-policy-Bing)#

Note: Bing is not one of the WiNG built-in database applications. It is a customized application created using the application command. nx9500-6C8809(config-app-policy-Bing)#allow application Bing precedence 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 60 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-app-policy-Bing)#allow app-category [TAB]

all antivirus\ update audio business conference custom database filetransfer gaming generic im mail mobile network\ management other p2p remote_control social\ networking standard streaming tunnel video voip web nx9500-6C8809(config-app-policy-Bing)#

nx9500-6C8809(config-app-policy-Bing)#allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing allow application Bing precedence 1 allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#

The following example shows an application policy 'SocialNet' having an allow rule with an associated schedule policy named 'FaceBook':

nx9500-6C8809(config-app-policy-SocialNet)#allow application facebook schedule Facebook precedence 1 nx9500-6C8809(config-app-policy-SocialNet)#show context application-policy SocialNet description "This application policy relates to Social Networking sites."

allow application facebook schedule FaceBook precedence 1 nx9500-6C8809(config-app-policy-SocialNet)#

The schedule policy FaceBook configuration is as follows. As per this policy, the above allow rule will apply to all FaceBook packets every Friday between 13:00 and 18:00 hours. nx9500-6C8809(config-schedule-policy-FaceBook)#show context schedule-policy FaceBook description "Allows FaceBook traffic on Fridays."

time-rule days friday start-time 13:00 end-time 18:00 nx9500-6C8809(config-schedule-policy-FaceBook)#

Related Commands no Removes this allow rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 61 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.2 deny application-policy-mode commands Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) deny app-category

[<APP-CATEGORY-

NAME>|all]

application

<APPLICATION-

NAME>

schedule

<SCHEDULE-

POLICY-NAME>

Creates a deny rule and configures the match criteria. The options are app-category and application. Uses application category as the match criteria

<APP-CATEGORY-NAME> Specify the application category name. The options are:

antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\

networking, standard, streaming, tunnel, video, voip, and web. Each packets app-

category is matched with the value specified here. In case of a match, the system drops the packet. all The system drops all packets irrespective of the application category. Uses application name as the match criteria

<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system drops the packet. There are approximately some 381 canned applications in the database. In addition to these, the database displays custom-made applications also. These are application definitions created using the application command. Schedules an enforcement time for this deny rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >

enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 62 GLOBAL CONFIGURATION COMMANDS

<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this deny rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:

#allow application youtube precedence 1

#deny app-category streaming precedence 2 The following configuration is incorrect:

#deny app-category streaming precedence 1

#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Example The following example shows one deny rule, denying access to all packets belonging to the application category social\ networking:

nx9500-6C8809(config-app-policy-Bing)#deny app-category social\ networking precedence 3 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#

The following example displays the schedule policy DenyS-N settings. The time-rule defined in the policy is all weekdays from 9:30 AM to 11:30 PM. nx9500-6C8809(config-schedule-policy-DenyS-N)#show context schedule-policy DenyS-N description "Denies all social Networking sites on weekdays."

time-rule days weekdays start-time 09:30 end-time 23:30 nx9500-6C8809(config-schedule-policy-DenyS-N)#

The following example displays the schedule policy FaceBook settings. The time-rule defined in the policy is Friday from 1:00 PM to 6:00 PM. nx9500-6C8809(config-schedule-policy-FaceBook)#show context schedule-policy FaceBook description "Allows FaceBook traffic on Fridays."

time-rule days friday start-time 13:00 end-time 18:00 nx9500-6C8809(config-schedule-policy-FaceBook)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 63 GLOBAL CONFIGURATION COMMANDS The following example shows an application policy SocialNet defining an allow and deny rule. Both rules have different enforcement time, which is defined by their respective schedule policies (DentS-N and FaceBook). As per these two schedule policy settings, this application policy:

Denies all social\ networking sites on weekdays (barring Fridays between 1:00 PM to 6:00 PM) from 9:30 AM to 11:30 PM. On Fridays, between 1:00 PM to 6:00 PM, it:

Denies all social\ networking sites except Facebook. nx9500-6C8809(config-app-policy-SocialNet)#show context application-policy SocialNet description "This application policy relates to Social Networking sites."

allow application facebook schedule FaceBook precedence 1 deny app-category "social networking" schedule DenyS-N precedence 2 nx9500-6C8809(config-app-policy-SocialNet)#

Related Commands no Removes this deny rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 64 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.3 description application-policy-mode commands Configures a brief description for this application policy that enables you to differentiate it from other application policies Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>

Parameters description <LINE>

description <LINE>

Configures this application policys description

<LINE> Specify a brief description not exceeding 80 characters in length. Example nx9500-6C8809(config-app-policy-Bing)#description "This application policy allows Bing search engine packets"

nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#

Related Commands no Removes this application policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 65 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.4 enforcement-time application-policy-mode commands Configures an enforcement time period in days and hours for this application policy. The enforcement time is applicable only to those rules, within the application policy, that do not have a schedule policy associated. By default an application policy is enforced on all days. NOTE: Schedule policies are a means of enforcing allow/deny/mark/rate-

limit rules at different time periods. If no schedule policy is applied, all rules within an application policy are enforced at the time specified using this enforcement-time command. For more information on configuring a schedule policy, see schedule-policy. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|

saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}

Parameters enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|

saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}

enforcement-time days start-time <HH:MM>

end-time <HH:MM>

Enforces this application policy on only on the days specified here sunday Enforces the policy only on Sundays monday Enforces the policy only on Mondays tuesday Enforces the policy only on Tuesdays wednesday Enforces the policy only on Wednesdays thursday Enforces the policy only on Thursdays friday Enforces the policy only on Fridays saturday Enforces the policy only on Saturdays all Enforces the policy on all days. This is the default setting. weekends Enforces the policy only on weekends weekdays Enforces the policy only on weekdays In case no enforcement time is specified, the application policy is enforced on all days

(i.e., always active). If using schedule policies with the allow/deny/mark/rate-limit rules, the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting of all). Optional. Configures this application policys enforcement period start-time Configures the start time. This is the time at which the application policy enforcement begins. end-time Configures the end time. This is the time at which the application policy enforcement ends.

<HH:MM> Specify the start and end time in the HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 66 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#enforcement-time days weekdays start-time 10:30 end-time 20:00 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 10:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#

Related Commands no Removes this application policys enforcement period Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 67 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.5 logging application-policy-mode commands Enables DPI application recognition logging. It also sets the logging level. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [level|on]

logging on logging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|

notifications|warnings]

Parameters logging on logging on Enables logging of application recognition hits made by the DPI engine. This option is disabled by default. logging level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]

logging level

[<0-7>|alerts|

critical|debugging|

emergencies|errors|

informational|

notifications|

warnings]

Sets the logging level for application recognition hits made by the DPI engine. This option is disabled by default.

<0-7> Sets the message logging severity level on a scale of 0 - 7 emergencies Severity level 0: System is unusable alerts Severity level 1: Requires immediate action critical Severity level 2: Critical conditions errors Severity level 3: Error conditions warnings Severity level 4: Warning conditions notifications Severity level 5: Normal but significant conditions (this is the default setting) informational Severity level 6: Informational messages debugging Severity level 7: Debugging messages Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 68 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#logging level critical nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 logging level critical nx9500-6C8809(config-app-policy-Bing)#

Related Commands no Resets the logging level to default (notifications). And the no > logging > on command disables DPI logging. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 69 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.6 mark application-policy-mode commands Creates a mark rule and configures the match criteria based on which packets are marked Marks packets, matching a specified set of application categories or applications/protocols, with 802.1p priority level or Differentiated Services Code Point (DSCP) type of service (ToS) code. Marking packets is a means of identifying them for specific actions, and is used to provide different levels of service to different traffic types. Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters mark mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Creates a mark rule and configures the match criteria. When applied, the rule marks packets, matching the criteria configured here, with 802.1p priority value or DSCP code. The match criteria options are: app-category and application. Uses application category as the match criteria

<APP-CATEGORY-NAME> Specify the application category. The options are:

app-category

[<APP-CATEGORY-

NAME>|all]

application

<APPLICATION-

NAME>

8021p <0-7>

antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\

networking, standard, streaming, tunnel, video, voip, and web. Each packets app-

category is matched with the value specified here. In case of a match, the system marks the packet. all The system marks all packets irrespective of the application category. Uses application name as the match criteria

<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system marks the packet. The WiNG database provides approximately 381 canned applications. In addition to these, the database includes custom-made applications. These are application definitions created using the application command. Marks packets matching the specified criteria with 802.1p priority value

<0-7> Specify a value from 0 - 7. The IEEE 802.1p signaling standard enables marking of layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packets MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 70 dscp <0-63>

schedule

<SCHEDULE-

POLICY-NAME>

GLOBAL CONFIGURATION COMMANDS Marks packets matching the specified criteria with DSCP ToS code

<0-63> Specify a value from 0 - 63. The DSCP protocol marks layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each layer 3 packet with a six-bit DSCP code, which is appended to the packets IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization. Schedules an enforcement time for this mark rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >

enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all).

<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:

#allow application youtube precedence 1

#deny app-category streaming precedence 2 The following configuration is incorrect:

#deny app-category streaming precedence 1

#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 71 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#mark app-category video dscp 9 precedence 4 nx9500-6C8809(config-app-policy-Bing)#mark application facetime dscp 10 precedence 5 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 logging level critical nx9500-6C8809(config-app-policy-Bing)#

Related Commands no Removes this mark rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 72 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.7 rate-limit application-policy-mode commands Creates a rate-limit rule and configures the match criteria Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-

NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule

<SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-

NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule

<SCHEDULE-POLICY-NAME> (precedence <1-256>) rate-limit app-category

[<APP-CATEGORY-

NAME>|all]

application

<APPLICATION-

NAME>

[egress|ingress]

rate <50-1000000>

Creates a rate-limit rule and configures the match criteria. When applied, the rule applies a rate-limit to packets that match the criteria configured here. These packets could be incoming, outgoing, or both. The match criteria options are: app-category and application. Uses application category as the match criteria

<APP-CATEGORY-NAME> Specify the application category. The options are:

antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\

networking, standard, streaming, tunnel, video, voip, and web. Each packets app-

category is matched with the value specified here. In case of a match, the system rate-

limits the packet. all The system rate-limits all packets irrespective of the application category. Uses application name as the match criteria

<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system rate-

limits the packet. The egress and ingress parameters are recursive and can be used to rate limit either incoming, outgoing, or both incoming and outgoing traffic. egress Selects the traffic type as outgoing ingress Selects the traffic type as outgoing After selecting the traffic type (incoming/outgoing) configure the rate and maximum burst size. The following parameters are common to the egress and ingress keywords:

rate Configures the rate limit, in Kbps, for both incoming and outgoing packets

<50-1000000> Specify the rate limit from 50 - 1000000 Kbps. max-burst-size The following parameters are common to the egress and ingress keywords:

max-burst-size Configures the maximum burst size, in Kbytes, for both incoming and outgoing packets

<2-1024> Specify the maximum burst size from 2 - 1024 Kbytes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 73 GLOBAL CONFIGURATION COMMANDS schedule

<SCHEDULE-

POLICY-NAME>

Schedules an enforcement time for this rate-limit rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >

enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all).

<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:

#allow application youtube precedence 1

#deny app-category streaming precedence 2 The following configuration is incorrect:

#deny app-category streaming precedence 1

#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 74 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-

burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#

Related Commands no Removes this rate-limit rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 75 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.8 no application-policy-mode commands Removes or resets this application policys settings Supported in the following platforms:

Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [allow|deny|description|enforcement-time|logging|mark|rate-limit]

no allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

precedence <1-256>

no deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

precedence <1-256>

no description no enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|

saturday|all|weekends|weekdays]

no logging [level|on]

no mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]

precedence <1-256>

no rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-

NAME>] precedence <0-256>

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this application policy settings based on the parameters passed Example The following example shows the application policy Bing settings before the no commands are executed:

nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-

burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#

nx9500-6C8809(config-app-policy-Bing)#no allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#no deny app-category social\ networking precedence 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 76 GLOBAL CONFIGURATION COMMANDS The following example shows the application policy Bing settings after the no commands are executed:

nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"

enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-

burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 77 GLOBAL CONFIGURATION COMMANDS 4.1.25 association-acl-policy Global Configuration Commands Configures an association ACL policy. This policy defines a list of devices allowed or denied access to the network. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>

Parameters association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>

<ASSOCIATION-ACL-

POLICY-NAME>

Specify the association ACL policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#association-acl-policy test rfs6000-81742D(config-assoc-acl-test)#?

Association ACL Mode commands:

deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-assoc-acl-test)#

Related Commands no Resets values or disables commands NOTE: For more information on the association-acl-policy, see Chapter 10, ASSOCIATION-ACL-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 78 GLOBAL CONFIGURATION COMMANDS 4.1.26 auto-provisioning-policy Global Configuration Commands Configures an auto provisioning policy. This policy configures the automatic provisioning of device adoption. The policy configures how an AP is adopted based on its type. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>

Parameters auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>

<AUTO-

PROVISIONING-

POLICY-NAME>

Specify the auto provisioning policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#auto-provisioning-policy test rfs6000-81742D(config-auto-provisioning-policy-test)#?

Auto-Provisioning Policy Mode commands:

Auto-Provisioning Policy Mode commands:

adopt Add rule for device adoption auto-create-rfd-template When RF Domain specified by the matching rule template does not exist create new RF Domain automatically default-adoption Adopt devices even when no matching rules are found. Assign default profile and default rf-domain deny Add rule to deny device adoption evaluate-always Set the flag to evaluate the policy everytime, regardless of previous adoption status no Negate a command or set its defaults redirect Add rule to redirect device adoption upgrade Add rule for device upgrade clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-auto-provisioning-policy-test)#

Related Commands no Removes an existing Auto Provisioning policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 79 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the auto-provisioning-policy, see Chapter 9, AUTO-PROVISIONING-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 80 GLOBAL CONFIGURATION COMMANDS 4.1.27 bgp Global Configuration Commands Configures Border Gateway Protocol (BGP) settings BGP is an inter-ISP routing protocol which establishes routing between Internet Service Providers (ISPs). ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced. An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it. Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgment, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list]

<LIST-NAME>

Parameters bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-

list] <LIST-NAME>

as-path-list

<LIST-NAME>

community-list

<LIST-NAME>

extcommunity-list

<LIST-NAME>

ip-access-list

<LIST-NAME>

ip-prefix-list

<LIST-NAME>

Creates an AS path list and enters its configuration mode

<LIST-NAME> Provide the AS-PATH-LIST name. Creates a community list and enters its configuration mode

<LIST-NAME> Provide the COMMUNITY-LIST name. Creates an extended community list and enters its configuration mode

<LIST-NAME> Provide the EXTCOMMUNITY-LIST name. Creates a BGP IP access list and enters its configuration mode

<LIST-NAME> Provide the BGP IP-ACCESS-LIST name. Creates a BGP IP prefix list and enters its configuration mode

<LIST-NAME> Provide the BGP IP-PREFIX-LIST name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 81 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#bgp ?

as-path-list BGP AS path list Configuration community-list Add a community list entry extcommunity-list Add a extended community list entry (EXPERIMENTAL) ip-access-list Add an access list entry ip-prefix-list Build a prefix list nx9500-6C8809(config)#

nx9500-6C8809(config)#bgp as-path-list AS-TEST-PATH nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#?

BGP AS Path List Mode commands:

deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#

Related Commands no Modifies BGP settings, based on the parameters passed NOTE: For more information on configuring BGP Top-Level Objects (TLOs), see Chapter 28, BORDER GATEWAY PROTOCOL. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 82 GLOBAL CONFIGURATION COMMANDS 4.1.28 bonjour-gateway-discovery-policy Global Configuration Commands The following table lists the commands that allows you to create a Bonjour Gateway Discovery Policy:

Table 4.8 Bonjour-Gateway-Discovery Config Commands Description Creates a Bonjour Gateway Discovery policy and enters its configuration mode Summarizes Bonjour Gateway Discovery policy configuration mode commands Reference page 4-84 page 4-86 Command bonjour-gw-

discovery-policy bonjour-

gateway-

discovery-

policy-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 83 GLOBAL CONFIGURATION COMMANDS 4.1.28.1 bonjour-gw-discovery-policy bonjour-gateway-discovery-policy Bonjour is Apples zero-configuration networking (Zeroconf) implementation. Bonjour enables automatic IP address assignment, name to address resolution, and service discovery without having to configure a DHCP server, DNS server, and Directory server. When configured and applied on a WLAN, the Bonjour Gateway Discovery policy queries for and locates Bonjour devices (printers, computers, file-sharing servers, etc.) and services these computers provide over a local network. Bonjour works only within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. Use this command to configure a Bonjour GW Discovery policy. The policy defines a list of services clients can discover across subnets. A maximum of 8 (eight) policies can be created on access points, wireless controllers, or service platforms. When configured and applied, this feature enables discovery of Bonjour services on local and/or tunneled VLANs. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-discovery-policy <POLICY-NAME>

Parameters bonjour-gw-discovery-policy <POLICY-NAME>

<POLICY-NAME>

Specify the Bonjour GW Discovery policy name. If the policy does not exist, it is created. In the Bonjour GW Discovery policy configuration mode, use the allow-

service keyword to configure the services that the Bonjour gateway is allowed to discover. A maximum of 16 (sixteen) service rules can be created. Optionally, you can restrict this facility for users on specific VLANs. To do so, specify the VLAN IDs. Execute the bonjour-gw-forwarding-policy command to enable forwarding of Bonjour service responses across VLANs. To associate a Bonjour GW Discovery policy with a WLAN, in the WLAN configuration mode, execute the following command: use > bonjour-gw-discovery-

policy > <POLICY-NAME>. For more information, see use. To associate a Bonjour GW Discovery policy with a VLAN, in the interface VLAN configuration mode, execute the following command: use > bonjour-gw-discovery-

policy > <POLICY-NAME>. For more information, see use. To associate a Bonjour GW Discovery policy with a user role, in the role-policy -

user-role - configuration mode, execute the following command: use > bonjour-gw-

discovery-policy > <POLICY-NAME>. For more information, see use. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 84 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#bonjour-gw-discovery-policy TestPolicy rfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#?

commands:

allow-service Allow Bonjour Service on local or tunneled vlan,Optionally VLAN IDs can be given so service will be discovered for those vlan only no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#

Related Commands no Removes an existing Bonjour GW Discovery policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 85 GLOBAL CONFIGURATION COMMANDS 4.1.28.2 bonjour-gateway-discovery-policy-mode commands bonjour-gateway-discovery-policy The following table summarizes the Bonjour Gateway Discovery Policy configuration mode commands:

Table 4.9 Bonjour-Gateway-Discovery-Policy-Mode Commands Command allow-service no Description Configures the Bonjour Services that can be discovered on Local or Tunneled VLANs. It configures the local VLANs on which these services can be found. Removes or modifies the Bonjour Gateway Discovery policy settings Reference page 4-87 page 4-89 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 86 GLOBAL CONFIGURATION COMMANDS 4.1.28.2.1 allow-service bonjour-gateway-discovery-policy-mode commands Enables discovery of Bonjour devices and the services they provide on Local or Tunneled VLANs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allow-service <BONJOUR-SERVICE-NAME> [local|tunneled]

allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>}

({service-vlans <WORD>}) allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}

Parameters allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>}

({service-vlans <WORD>}) allow-service

<BONJOUR-

SERVICE-NAME>

local instance-name contains <WORD>

service-vlans

<WORD>

Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.

<BONJOUR-SERVICE-NAME> You can either select the Bonjour services from a set of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list. The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner. Use the <WORD> keyword to define a service not included in the system-provided, pre-

defined list. Ensure this device is registered with the Multicast DNS Responder

(mDNSResponder). Select to enable the discovery of the selected Bonjour Services on the local VLAN Optional. Specifies the selected Bonjour services instance name. When specified, the Bonjour service discovery queries contain the instance name. of the service to be discovered. This option is useful especially in large distributed, enterprise networks. Use it to create different instances of a Bonjour service for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s). contains <WORD> Specify the instance name. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example,

$BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring a string alias, see alias. Optional. Configures a VLAN or a list of VLANs on which the selected service is discoverable. When specified, Bonjour discovery queries are delivered to all clients on the specified VLANs. Applicable only if enabling Bonjour Services discovery on local VLANs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 87 GLOBAL CONFIGURATION COMMANDS allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}

allow-service

<BONJOUR-

SERVICE-NAME>

Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.

<BONJOUR-SERVICE-NAME> You can either select the Bonjour Services from a set tunneled instance-name contains <WORD>

of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list. The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner. Use the <WORD> keyword to define a service not included in the system-provided, predefine list. Select to enable the discovery of the selected Bonjour Services on tunneled VLANs Optional. Adds a Bonjour Service instance name. If you have a large enterprise network, use this option to create different Bonjour Service instances for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s). contains <WORD> Specify the sub-string to match. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example,

$BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring aliases, see alias. Example nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Printer lo cal instance-name contains $Bonjour_Service service-vlans 1,2 nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains

$Bonjour_Service allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#

Following example configures the string alias named $Bonjour_Service:

nx9500-6C8809(config)#alias string $Bonjour_Service admin nx9500-6C8809(config)#commit nx9500-6C8809(config)#show context include-factory | include alias string alias string $Bonjour_Service admin nx9500-6C8809(config)#

Related Commands no Removes or modifies this Bonjour Gateway Discovery Policy settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 88 GLOBAL CONFIGURATION COMMANDS 4.1.28.2.2 no bonjour-gateway-discovery-policy-mode commands Removes or modifies the Bonjour Gateway Discovery policy settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}

Parameters no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}

no <parameters>

Removes allow-service rules in the selected Bonjour GW Discovery policy, based on the parameters passed Example The following example shows the Bonjour GW Discovery policy test settings before the no command is executed:

nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains

$Bonjour_Service allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#

nx9500-6C8809(config-bonjour-gw-discovery-policy-test1)#no allow-service Afp local The following example shows the Bonjour GW Discovery policy test settings after the no command was executed:

nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains

$Bonjour_Service nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 89 GLOBAL CONFIGURATION COMMANDS 4.1.29 bonjour-gw-forwarding-policy Global Configuration Commands Configures a Bonjour GW Forwarding policy. When configured and applied on the controller, the policy defines the service VLANs (the VLANs on which Bonjour services are running) and client VLANs where clients are present. All Bonjour responses from service VLANs are forwarded to client VLANs. A maximum of 2 (two) policies can be created on a wireless controller or service platform. And only 1 (one) policy can be created on an access point. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-forwarding-policy <POLICY-NAME>

Parameters bonjour-gw-forwarding-policy <POLICY-NAME>

<POLICY-NAME>

Specify the Bonjour GW Forwarding policy name. If the policy does not exist, it is created. To receive Bonjour service responses from specific VLANs, specify the VLAN IDs. In the Bonjour GW Forwarding policy configuration mode, provide a list of VLAN IDs from which Bonjour responses can be received (format: 10-20, 25, 30-35). And then specify the list of client VLANs that can access Bonjour services. Execute the bonjour-gw-discovery-policy command to define the Bonjour services allowed on local and tunneled VLANs. To associate a Bonjour GW Forwarding policy with a device or profile, in the profile/

device configuration mode, execute the use > bonjour-gw-forwarding-policy >

<POLICY-NAME> command. For more information, see use. Example rfs6000-81742D(config)#bonjour-gw-forwarding-policy TestPolicy rfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#?

commands:

forward-bonjour-response Forwards bonjour service response across vlans no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 90 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing Bonjour GW Forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 91 GLOBAL CONFIGURATION COMMANDS 4.1.30 bonjour-gw-query-forwarding-policy Global Configuration Commands Configures a Bonjour GW Query Forwarding policy and enters its configuration mode. When created and applied, this policy enables forwarding of Bonjour queries across VLANs. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-query-forwarding-policy <POLICY-NAME>

Parameters bonjour-gw-query-forwarding-policy <POLICY-NAME>

<POLICY-NAME>

Specify the Bonjour GW Query Forwarding policy name. If the policy does not exist, it is created. In the Bonjour GW Query Forwarding policy configuration mode, specify the from and to VLAN(s). The from-vlans option configures the VLAN(s) that are the source of the Bonjour queries. The to-vlans option configures the destination VLAN(s) that can access the Bonjour queries. To associate a Bonjour GW Query Forwarding policy with a device or profile, in the profile/device configuration mode, execute the use > bonjour-gw-query-forwarding-

policy > <POLICY-NAME> command. For more information, see use. Example rfs6000-81742D(config)#bonjour-gw-query-forwarding-policy TestPolicy rfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#?

(config-bonjour-gw-query-forwarding-policy) commands:

forward-bonjour-query Forwards bonjour query across vlans no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#

Related Commands no Removes an existing Bonjour GW Query Forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 92 GLOBAL CONFIGURATION COMMANDS 4.1.31 captive portal Global Configuration Commands The following table lists the commands that enable you to create a new captive portal policy and enter its configuration mode:

Table 4.10 Captive-Portal Config Commands Description Creates a new captive portal and enters its configuration mode Summarizes captive portal configuration commands Reference page 4-94 page 4-96 Command captive-portal captive-portal-

mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 93 GLOBAL CONFIGURATION COMMANDS 4.1.31.1 captive-portal captive portal Configures a captive portal policy and enters its configuration mode. Once created and configured, use the captive portal policy in the WLAN context, and in the device/profile contexts of the access point or controller hosting the captive portal server. A captive portal provides secure access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network. Once logged into the captive portal, additional Acknowledgment, Agreement, Welcome, No Service, and Fail pages provide the administrator options to customize the screen flow and user appearance. Captive portals are recommended for providing guests or visitors authenticated access to network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption. Authentication for captive portal access requests is performed using a username and password pair, authenticated by an integrated RADIUS server. Authentication for private network access is conducted either locally on the requesting wireless client, or centrally at a data center. Captive portals use a Web provisioning tool to create guest user accounts directly on the controller, service platform, or access point. The connection medium defined for the Web connection is either HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure to disseminate information to and from requesting wireless clients. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal <CAPTIVE-PORTAL-NAME>

Parameters captive-portal <CAPTIVE-PORTAL-NAME>

<CAPTIVE-PORTAL-

NAME>

Specify the captive portal name. If a captive portal with the specified name does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 94 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#captive-portal test rfs6000-81742D(config-captive-portal-test)#?

Captive Portal Mode commands:

access-time Allowed access time for the client. Used when there is no session time in radius response access-type Access type of this captive portal accounting Configure how accounting records are created for this captive portal policy bypass Bypass captive portal connection-mode Connection mode for this captive portal custom-auth Custom user information data-limit Enforce data limit for clients inactivity-timeout Inactivity timeout in seconds. If a frame is not received from client for this amount of time, then current session will be removed ipv6 Internet Protocol version 6 (IPv6) localization Configure the FQDN address to get the localization parameters for the client logout-fqdn Configure the FQDN address to logout the session from client no Negate a command or set its defaults oauth OAuth 2.0 authentication configuration php-helper Configure the captive portal to use a server for help with php post-authentication-vlan Configure post authentication vlan for captive portal users radius-vlan-assignment Enable radius vlan assignment for captive portal users redirection Configure connection redirection parameters report-loyalty-application Report customer loyalty application presence in clients server Configure captive portal server parameters simultaneous-users Particular username can only be used by a certain number of MAC addresses at a time terms-agreement User needs to agree for terms and conditions use Set setting to use webpage Configure captive portal webpage parameters webpage-auto-upload Enable automatic upload of internal and advanced webpages webpage-location The location of the webpages to be used for authentication. These pages can either be hosted on the system or on an external web server. welcome-back Welcome back page settings clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes an existing captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 95 GLOBAL CONFIGURATION COMMANDS 4.1.31.2 captive-portal-mode commands captive portal The following table summarizes captive portal configuration mode commands:

Table 4.11 Captive-Portal-Mode Commands Command access-time access-type accounting bypass connection-

mode custom-auth data-limit inactivity-

timeout ipv6 localization logout-fqdn no oauth php-helper post-

authentication-

vlan radius-vlan-

assignment redirection report-loyalty-

application server simultaneous-

users terms-

agreement use webpage Description Defines a clients access time. It is used when no session time is defined in the RADIUS response. Configures a captive portals access type Enables a captive portals accounting records Enables bypassing of captive portal detection requests from wireless clients Configures a captive portals connection mode Configures custom user information Enforces data limit on captive portal clients Defines an inactivity timeout in seconds Configures the IPv6 address of the internal captive portal server Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message. Clears the logout FQDN address Reverts the selected captive portals settings to default Enables OAuth-based authentication support on the captive portal. When enabled, OAuth allows captive-portal users to sign in to guest WLANs using their Facebook or Google credentials. Configures a PHP helper to serve the captive portals PHP splash pages to guest users using social-media to login to the captive portal. Assigns a post authentication RADIUS VLAN for this captive portals users Assigns a RADIUS VLAN for this captive portal Enables redirection of client connections to specified destination ports Enables detection of captive portal clients loyalty application presence and stores this information in the captive portals user database Configures the captive portal server settings Specifies a username used by a MAC address pool Enforces the user to agree to terms and conditions (included in login page) for captive portal access Associates a AAA policy and a DNS whitelist with a captive portal Configures captive portal Web page settings Reference page 4-98 page 4-99 page 4-100 page 4-102 page 4-103 page 4-104 page 4-105 page 4-106 page 4-107 page 4-108 page 4-110 page 4-111 page 4-113 page 4-115 page 4-117 page 4-118 page 4-119 page 4-120 page 4-121 page 4-123 page 4-124 page 4-125 page 4-127 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 96 GLOBAL CONFIGURATION COMMANDS Table 4.11 Captive-Portal-Mode Commands Description Enables automatic upload of advanced Web pages on a captive portal Reference page 4-135 Specifies the location of Web pages used for captive portal authentication Enables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins Documents configuration details required to enable device registration with dynamic VLAN assignment in a multi-vendor environment page 4-136 page 4-137 page 4-139 Documents configuration details required to support the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server page 4-141 Documents the basic configurations required to deploy an ExtremeGuest setup page 4-143 Command webpage-auto-

upload webpage-

location welcome-back configuring device registration with dynamic VLAN assignment configuring WeChat Wi-Fi hotspot support in WiNG captive portal configuring ExtremeGuest captive-portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 97 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.1 access-time captive-portal-mode commands Defines the permitted access time for a client. It is used when no session time is defined in the RADIUS response. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax access-time <10-10080>

Parameters access-time <10-10080>

access-time

<10-10080>

Defines the duration wireless clients are allowed access to the Internet using this captive portal policy

<10-10080> Specify a value from 10 - 10080 minutes. The default is 1440 minutes. Example rfs6000-81742D(config-captive-portal-test)#access-time 35 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Reverts to the default permitted access time (1440 minutes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 98 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.2 access-type captive-portal-mode commands Defines the captive portals access type. The authentication scheme configured here is applied to wireless clients using this captive portal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax access-type [custom-auth-radius|logging|no-auth|radius|registration]

Parameters access-type [custom-auth-radius|logging|no-auth|radius|registration]

custom-auth-radius logging no-auth radius registration Specifies the custom user information used for authentication (RADIUS lookup of given information, such as name, e-mail address, telephone, etc.). When configured, accessing clients are required to provide a 1-32 character lookup data string used to authenticate their credentials. When selecting this option, use the custom-auth command to configure the required user information. Provides users access without authentication. The system logs access details of users allowed access. Defines no authentication required for a guest (guest is redirected to welcome message). Provides users access to the captive portal without authentication. Enables RADIUS authentication for wireless clients. Provides captive portal access to successfully authenticated users only. This is the default setting. Enables captive portals clients to self register in the captive portals database. When configured, a requesting clients user credentials require authentication locally or through social media credential exchange and validation. If enabled, use the webpage > internal > registration > field command to customize the registration page. If not customized, the default, built-in registration Web page is displayed. Example rfs6000-81742D(config-captive-portal-test)#access-type logging rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes the captive portal access type or reverts to default (radius) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 99 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.3 accounting captive-portal-mode commands Enables support for accounting messages for this captive portal When enabled, accounting for clients entering and exiting the captive portal is initiated. Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data. This data includes information, such as start and stop times, executed commands (such as PPP), number of packets and number of bytes transmitted, etc. Accounting enables tracking of captive portal services consumed by clients. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [radius|syslog]

accounting radius accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-

controller|through-rf-domain-manager]}

Parameters accounting radius radius Enables support for RADIUS accounting messages. When enabled, this option uses an external RADIUS resource for AAA accounting. This option is disabled by default. accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|

through-controller|through-rf-domain-manager]}

syslog host <IP/

HOSTNAME>

port <1-65535>

proxy-mode [none|

through-controller|

through-rf-domain-

manager]

Enables support for syslog accounting messages. When enabled, data relating to wireless client usage of remote access services is logged on the specified external syslog resource. This information assists in differentiating between local and remote users. Remote user information can be archived to an external location for periodic network and user administration. This option is disabled by default. host <IP/HOSTNAME> Specifies the destination where accounting messages are sent. Specify the destinations IP address or hostname. Optional. Specifies the syslog servers listener port

<1-65535> Specify the UDP port from 1- 65535. The default is 514. Optional. Specifies the mode of proxying the syslog server none Accounting messages are sent directly to the syslog server through-controller Accounting messages are sent through the controller configuring the device through-rf-domain-manager Accounting messages are sent through the local RF Domain manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 100 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-captive-portal-test)#accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Disables accounting records for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 101 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.4 bypass captive-portal-mode commands Enables bypassing of captive portal detection requests from wireless clients Certain devices, such as Apple IOS devices send Captive Network Assistant (CNA) requests to detect existence of captive portals. When enabled, the bypass option does not allow CNA requests to be redirected to the captive portal pages. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bypass captive-portal-detection Parameters bypass captive-portal-detection bypass captive-

portal-detection Bypasses captive portal detection requests Example rfs4000-229D58(config-captive-portal-test)#bypass captive-portal-detection rfs4000-229D58(config-captive-portal-test)#show context captive-portal test bypass captive-portal-detection rfs4000-229D58(config-captive-portal-test)#

Related Commands no Disables bypassing of captive portal detection requests Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 102 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.5 connection-mode captive-portal-mode commands Configures a captive portals mode of connection to the Web server. HTTP uses plain unsecured connection for user requests. HTTPS uses an encrypted connection to support user requests. Both HTTP and HTTPS use the same Uniform Resource Identifier (URI), so controller and client resources can be identified. However, the use of HTTPS is recommended, as it affords controller and client transmissions some measure of data protection HTTP cannot provide. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connection-mode [http|https]

Parameters connection-mode [http|https]

http https Example Sets HTTP as the default connection mode. This is the default setting. Sets HTTPS as the default connection mode HTTPS is a more secure version of HTTP, and uses encryption while sending and receiving requests. rfs6000-81742D(config-captive-portal-test)#connection-mode https rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 connection-mode https accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes this captive portals connection mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 103 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.6 custom-auth captive-portal-mode commands Configures custom user information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax custom-auth info <LINE>

Parameters custom-auth info <LINE>

info <LINE>

Configures information used for RADIUS lookup when custom-auth RADIUS access type is configured

<LINE> Guest data needs to be provided. Specify the name, e-mail address, and telephone number of the user. Example rfs6000-81742D(config-captive-portal-test)#custom-auth info bob bob@examplecompany.com rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes custom user information configured with this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 104 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.7 data-limit captive-portal-mode commands Enforces data transfer limits on captive portal clients. This feature enables the tracking and logging of user usage. Users exceeding the allowed bandwidth are restricted from the captive portal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax data-limit <1-102400> {action [log-and-disconnect|log-only]}

Parameters data-limit <1-102400> {action [log-and-disconnect|log-only]}

data-limit

<1-102400>

action

[log-and-disconnect|

log-only]

Sets a captive portal clients data transfer limit in megabytes. This limit is applicable for both upstream and downstream data transfer.

<1-102400> Specify a value from 1 - 102400 MB. Optional. Specifies the action taken when a client exceeds the configured data limit. The options are:

log-and-disconnect When selected, an entry is added to the log file any time a captive portal client exceeds the data limit, and the client is disconnected. log-only When selected, an entry is added to the log file any time a captive portal client exceeds the data limit. the client, however, remains connected to the captive portal. This is the default setting. Example rfs6000-81742D(config-captive-portal-test)#data-limit 200 action log-and-

disconnect rfs6000-81742D(config-captive-portal-test)#show context captive-portal test data-limit 200 action log-and-disconnect rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes data limit enforcement for captive portal clients Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 105 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.8 inactivity-timeout captive-portal-mode commands Defines the inactivity timeout in seconds. If a frame is not received from a client for the specified interval the current session is terminated. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax inactivity-timeout <60-86400>

Parameters inactivity-timeout <60-86400>

<60-86400>

Defines the interval for which a captive portal session is kept alive without receiving a frame from the client. The session is automatically terminated once this interval is over.

<60-86400> Specify a value from 60 - 86400 seconds. The default is 10 minutes or 600 seconds. Example rfs6000-81742D(config-captive-portal-test)#inactivity-timeout 750 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Removes the client inactivity-timeout configured with this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 106 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.9 ipv6 captive-portal-mode commands Configures the internal captive portal servers (running on the centralized mode) IPv6 address. If using centralized server mode, use this option to define the controller, service platform, or access point resources

(hosting the captive portal) IPv6 address. For information on configuring the server mode, see server. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 server host <IPv6>

Parameters ipv6 server host <IPv6>

ipv6 server host

<IPv6>

Configures the IPv6 address of the internal captive portal server

<IPv6> Specify the captive portal servers global IPv6 address. Example rfs6000-81742D(config-captive-portal-test2)#ipv6 server host 2001:10:10:10:6d:33:fa:8b rfs6000-81742D(config-captive-portal-test2)#show context captive-portal test2 access-type OAuth ipv6 server host 2001:10:10:10:6d:33:fa:8b OAuth client-id Google TechPubs.printer.google.com rfs6000-81742D(config-captive-portal-test2)#

Related Commands no Removes the captive portal servers IPv6 address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 107 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.10 localization captive-portal-mode commands Configures an FQDN address string that enables the client to receive localization parameters. Use this option to add a URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax localization [fqdn <WORD>|response <WORD>]

Parameters localization [fqdn <WORD>|response <WORD>]

localization fqdn <WORD>

response <WORD>

Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message. Configures the FQDN address string, which is used to obtain localization parameters for the captive portals client.

<WORD> Specify the FQDN address string. For example, local.guestaccess.com Configures a message, which is sent back to the client in response to the clients localization HTTP requests

<WORD> Specify the response message (should not exceed 512 characters in length). The following built-in query tags can be included in the response message:

WING_TAG_CLIENT_IP' -Captive portal client IPv4 address

'WING_TAG_CLIENT_MAC' - Captive portal client MAC address

'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid

'WING_TAG_AP_MAC' - Captive portal client AP MAC address

'WING_TAG_AP_NAME' - Captive portal client AP Name

'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain

'WING_TAG_USERNAME' - Captive portal authentication username

'WING_TAG_USERTYPE' - Captive portal usertype

(new/return/refresh) Example:-

<local><site>WING_TAG_RF_DOMAIN</site><ap>WING_TAG_AP_NAME</ap></

local Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 108 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-captive-portal-test)#localization fqdn local.guestaccess.com nx9500-6C8809(config-captive-portal-test)#localization response

<local><site>SJExtreme</site><ap>ap8132-74B45C</ap><user>Bob</user><local>

nx9500-6C8809(config-captive-portal-TechPubsNew)#show context captive-portal TechPubsNew webpage internal registration field city type text enable label "City" placeholder

"Enter City"

webpage internal registration field street type text enable label "Address"

placeholder "123 Any Street"

webpage internal registration field name type text enable label "Full Name"

placeholder "Enter First Name, Last Name"

webpage internal registration field zip type number enable label "Zip" placeholder

"Zip"

webpage internal registration field via-sms type checkbox enable title "SMS Preferred"

webpage internal registration field mobile type number enable label "Mobile"

placeholder "Mobile Number with Country code"

webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"

webpage internal registration field email type e-address enable mandatory label

"Email" placeholder "you@domain.com"

webpage internal registration field via-email type checkbox enable title "Email Preferred"

localization fqdn local.guestaccess.com localization response <local><site>SJExtreme</site><ap>ap8132-74B45C</

ap><user>Bob</user><local>

nx9500-6C8809(config-captive-portal-TechPubsNew)#

Related Commands no Removes the FQDN address string and response message configured on a captive portal for localization Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 109 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.11 logout-fqdn captive-portal-mode commands Configures the Fully Qualified Domain Name (FQDN) address to logout of the session from the client Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logout-fqdn <WORD>

Parameters logout-fqdn <WORD>

logout-fqdn <WORD> Configures the FQDN address used to logout

<WORD> Provide the FQDN address (for example, logout.guestaccess.com). Example rfs6000-81742D(config-captive-portal-test)#logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#show context captive-portal test logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#

Related Commands no Clears the logout FQDN address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 110 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.12 no captive-portal-mode commands The no command reverts the selected captive portals settings or resets settings to default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [access-time|access-type|accounting|bypass|connection-mode|custom-auth|

data-limit|inactivity-timeout|ipv6|localization|logout-fqdn|oauth|php-helper|

post-authentication-vlan|radius-vlan-assignment|redirection|

report-loyalty-application|server|simultaneous-users|terms-agreement|use|

webpage|webpage-auto-upload|webpage-location|welcome-back]

no [access-time|access-type|connection-mode|data-limit|inactivity-timeout|

logout-fqdn|post-authentication-vlan|radius-vlan-assignment|report-loyalty-

application|simultaneous-users|terms-agreement|webpage-auto-upload|

webpage-location]

no accounting [radius|syslog]

no bypass captive-portal-detection no custom-auth info no ipv6 server host no localization [fqdn|response]

no oauth {client-id}

no php-helper no redirection ports no server host no server mode {centralized-controller [hosting-vlan-interface]}

no use [aaa-policy|dns-whitelist]

no webpage external [acknowledgement|agreement|fail|login {post}|no-service|

registration|welcome]

no webpage internal [acknowledgement|agreement|fail|login|no-service|org-name|

org-signature|registration|welcome]

no webpage internal [org-name|org-signature]

no webpage internal [acknowledgment|agreement|fail|login|no-service] [body-

background-color|body-font-color|description|footer|header|main-logo|org-

background-color|org-font-color|small-logo|title]

no webpage internal registration [body-background-color|body-font-color|

description|field|footer|header|main-logo|org-background-color|org-font-

color|small-logo|title]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 111 GLOBAL CONFIGURATION COMMANDS no webpage internal registration field [age-range|city|country|custom <FIELD-

NAME>|disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|

via-sms|zip] {enable}

no webpage internal welcome [body-background-color|body-font-color|description|

footer|header|main-logo|org-background-color|org-font-color|small-logo|title|

use-external-success-url]

no welcome-back pass-through Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this captive portals settings, based on the parameters passed. Example The following example shows the captive portal test settings before the no commands are executed:

rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#

rfs6000-81742D(config-captive-portal-test)#no accounting syslog rfs6000-81742D(config-captive-portal-test)#no access-type The following example shows the captive portal test settings after the no commands are executed:

rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 rfs6000-81742D(config-captive-portal-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 112 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.13 oauth captive-portal-mode commands Enables OAuth-driven Google and/or Facebook authentication on captive portals that use internal Web pages. To enable Google and Facebook captive-portal authentication:

Enforce captive-portal authentication on the WLAN to which wireless-clients associate. For information, see captive-portal-enforcement. Set captive-portal Web page location to internal. For more information, see webpage-location. Register your captive-portal individually on Google/FaceBook APIs and generate a client-id and client-secret. The client-ids retrieved during registration are the IDs for the WiNG application running on the access point/controller. The WiNG application uses these client-ids to access the Google and Facebook Auth APIs, and authenticate the guest client on behalf of the user. If enabling OAuth-driven Google and/or Facebook authentication on the captive portal, use this command to configure the Google/Facebook client-ids. Once enabled, the captive portal landing page, displayed on the clients browser, provides the Facebook and Google login buttons. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax oauth oauth client-id [facebook|google] <WORD>

Parameters oauth oauth Execute this command without the associated keywords to enable OAuth on this captive-portal. If enabling OAuth, ensure the captive-portal Web page location is configured as advanced or external. oauth client-id [facebook|google] <WORD>

oauth client-id

[facebook|google]

<WORD>

Configures the client-ids retrieved from the Google and Facebook API manager portals during registration facebook Configures the Facebook API client-id (is a 15 digit entity) google Configures the Google API client-id (is a 12 digit number)

<WORD> Provide the Facebook/Google client-id. If the captive-portal Web page location is advanced or external, and you are enabling OAuth support, you need not configure the client-id. In such a scenario, the client-id is configured through the EGuest server UI and not the WiNG CLI. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 113 GLOBAL CONFIGURATION COMMANDS Example nx7500-6DCD39(config-captive-portal-test2)#OAuth nx7500-6DCD39(config-captive-portal-test2)#OAuth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy nx7500-6DCD39(config-captive-portal-test2)#show context captive-portal test2 server host guest.social.com oauth oauth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy nx7500-6DCD39(config-captive-portal-test)#

In the above example:

xxxxxxxxxxxx - Is the 12 digit numeric part of your Google client-id. yyyyyyyyyyyyyyy - Is the 15 digit Facebook client-id Related Commands no Removes all OAuth client identities configured for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 114 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.14 php-helper captive-portal-mode commands Configures a PHP helper to serve the PHP splash pages to guest users logging in to the captive portal using social-media credentials. Configure a PHP helper only if the following criteria are fulfilled:

OAuth-based authentication is enabled on the captive portal. The captive-portal server mode is self. The access point, hosting the captive-portal server, has low memory space (for example, the AP6511, AP6521, AP6522, AP6532, and AP7502 model access points). A hotspot server, hosting the captive-portal PHP splash pages, is up and running. The WiNG software introduces HybridAuth support on captive portals. HybridAuth is an open-source, social-sign on PHP Library. In addition to Google and Facebook, it allows a variety of third-party social authentications, such as LinkedIn, Twitter, Live, Yahoo, OpenID, etc. However, HybridAuth uses space-

consuming PHP splash pages that cannot be loaded on access points with low memory space. These access points can only serve the initial landing page, where guests clicking on a social login button are redirected by the php-helper to a PHP page hosted on the PHP-helper. To create PHP splash pages, use the splash template configuration tool available on the ExtremeGuest

(EGuest) dashboard. Upload the generated tar to both the hotspot server and the php helper. Note, the EGuest dashboard can be launched from the WiNG controller (NX9500/NX9600/VX9000) enabled as the EGuest server. For more information on enabling the EGuest server, see eguest-server (VX9000 only). For more information on configuring an EGuest captive portal, see configuring ExtremeGuest captive-

portal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax php-helper [controller|domain-manager]

php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4096>

php-helper domain-manager <IP/HOSTNAME>

Parameters php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4094>]

php-helper controller <IP/

HOSTNAME>

hosting-vlan-interface

<0-4096>

Configures the php-helper parameters Configures the controller adopting the captive-portal access point as the php-helper

<IP/HOSTNAME> Specify the adopting controllers IP address or host name. Optional. Configures the VLAN on which the php-helper is reachable

<0-4096> Specify the VLAN hosting the php-helper from 0 - 4096. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 115 GLOBAL CONFIGURATION COMMANDS php-helper domain-manager <IP/HOSTNAME>

php-helper domain-manager <IP/

HOSTNAME>

Configures the php-helper parameters Configures the captive-portal access points RF Domain manager as the php-helper

<IP/HOSTNAME> Specify the RF Domain managers IP address or host name. Example To enable php-helper configure the following parameters in the captive-portal context:

ap6532-3163A4(config-captive-portal-php-helper)#oauth ap6532-3163A4(config-captive-portal-php-helper)#php-helper controller nx9500-

6C8809 ap6532-3163A4(config-captive-portal-php-helper)#server mode self ap6532-3163A4(config-captive-portal-php-helper)#server host cpsocial.extreme.com Note, when configuring the server, specify the servers hostname and not the IP address, because some social media do not allow IP address as a redirect URI. ap6532-3163A4(config-captive-portal-php-helper)#show running-config captive-

portal php-helper captive-portal php-helper server host cpsocial.extreme.com php-helper controller nx9500-6C8809 oauth webpage internal registration field city type text enable label "City" placeholder

"Enter City"

webpage internal registration field street type text enable label "Address"

placeholder "123 Any Street"

webpage internal registration field name type text enable label "Full Name"

placeholder --More--

ap6532-3163A4(config-captive-portal-php-helper)#

Related Commands no Removes the PHP helper configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 116 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.15 post-authentication-vlan captive-portal-mode commands Configures the VLAN that is assigned to this captive portals users upon successful authentication Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]

Parameters post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]

post-authentication-

vlan [<1-4096>|

<VLAN-ALIAS>]

Configures the post authentication VLAN. The VLAN specified here is assigned to this captive portals users after they have authenticated and logged on to the network. Provide the VLAN ID, or use an existing VLAN alias to identify the post authentication VLAN.

<1-4096> Specify the VLANs number from 1 - 4096.

<VLAN-ALIAS> Specify the VLAN alias (should be existing and configured). VLAN alias names begin with a $. Example rfs4000-229D58(config-captive-portal-test)#post-authentication-vlan 1 rfs4000-229D58(config-captive-portal-test)#show context captive-portal test post-authentication-vlan 1 rfs4000-229D58(config-captive-portal-test)#

Related Commands no radius-vlan-

assignment Removes the post authentication RADIUS VLAN assigned to this captive portals users Enables assignment of a RADIUS VLAN for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 117 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.16 radius-vlan-assignment captive-portal-mode commands Enables assignment of a RADIUS VLAN for this captive portal When enabled, if the RADIUS server as part of the authentication process returns a clients VLAN-ID in a RADIUS access-accept packet, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS servers VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-vlan-assignment Parameters None Example rfs4000-229D58(config-captive-portal-test)#radius-vlan-assignment rfs4000-229D58(config-captive-portal-test)#show context captive-portal test post-authentication-vlan 1 radius-vlan-assignment rfs4000-229D58(config-captive-portal-test)#

Related Commands no post-authentication-

vlan Disables assignment of a RADIUS VLAN for this captive portal Assigns a post authentication RADIUS VLAN for this captive portals users Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 118 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.17 redirection captive-portal-mode commands Configures a list of destination ports (separated by commas, or using a dash for a range) that are taken into consideration when redirecting client connections Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax redirection ports <LIST-OF-PORTS>

Parameters redirection ports <LIST-OF-PORTS>

ports <LIST-OF-

PORTS>

Configures destination ports considered for redirecting client connection A maximum of 16 ports can be specified in a comma-separated list. Standard ports 80 and 443 are always considered for client connections regardless of whats entered by the administrator. Example rfs4000-229D58(config-captive-portal-test)#redirection ports 1,2,3 rfs4000-229D58(config-captive-portal-test)#show context captive-portal test redirection ports 1-3 rfs4000-229D58(config-captive-portal-test)#

Related Commands no Disables redirection of client connection Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 119 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.18 report-loyalty-application captive-portal-mode commands Enables detection of captive portal clients usage of a selected (preferred) loyalty application Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax report-loyalty-application {custom-app <APPLICATION-NAME>}

Parameters report-loyalty-application {custom-app <APPLICATION-NAME>}

report-loyalty-

application

{custom-app

<APPLICATION-

NAME>}

Reports a captive portal clients loyalty application presence and stores this information in the captive portals user database. The clients loyalty application detection occurs on the access point to which the client is associated. Retail administrators can use this information to assess whether patrons loyalty application usage is as per expectation within specific retail environments. This option is disabled by default. custom-app <APPLICATION-NAME> Optional. Uses a custom application definition as match criteria.

<APPLICATION-NAME> Specify the custom application name (should be existing and configured). Ensure that the application specified is available and configured. If not, create an application definition. For more information, see application. If no custom application definition is specified, the system uses localization to detect application presence. Example nx9500-6C8809(config-captive-portal-test)#report-loyalty-application custom-app AntiVirus nx9500-6C8809(config-captive-portal-test)#show context include-factory | include report-loyalty-application report-loyalty-application custom-app AntiVirus nx9500-6C8809(config-captive-portal-test)#

Related Commands no Disables detection of customer-loyalty application presence Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 120 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.19 server captive-portal-mode commands Configures captive portal server parameters, such as the hostname, IP address, and mode of operation. This is the captive-portal server hosting the captive portal Web pages. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server [host|mode]

server host <IP/HOSTNAME>

server mode [centralized|centralized-controller {hosting-vlan-interface <0-

4096>}|self]

Parameters server host <IP/HOSTNAME>

host <IP/HOSTNAME> Configures the internal captive portal server (wireless controller, access point, service platform)

<IP/HOSTNAME> Specify the IPv4/IPv6 address or hostname of the captive portal server. For centralized-controller mode, the server host should be a virtual hostname and not an IP address. If enabling OAuth (social-media login) on the captive portal, configure the servers hostname and not the IP address. This is because some social media do not allow IP address as redirect-uri. For more information, see oauth and php-helper. server mode [centralized|centralized-controller {hosting-vlan-interface <0-

4096>}|self]

mode centralized Configures the captive portal server mode. This parameter identifies the device that will capture and redirect a wireless users Web browser session to a landing page where the user has to provide login credentials in order to access the managed network. The WiNG captive portal implementation is very flexible and allows captive portal services to reside anywhere within the WiNG managed network. For example, the capture and redirection can be performed directly by the access points at the edge of the network, centrally on the controllers or service platforms managing the access points, or on dedicated wireless controller deployed within an isolated network. Select this option if capture and redirection is provided by a designated wireless controller/service platform on the network defined using an IPv4/IPv6 address or hostname. This dedicated device can either be managing the dependent/independent access points or be a dedicated device deployed over the intermediate network. Ensure the IPv4 address or hostname of the WiNG wireless controller performing the capture and redirection is defined in the captive portal policy. And also, that the wireless controller is reachable via MINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 121 GLOBAL CONFIGURATION COMMANDS Select this option if capture and redirection is on a cluster of wireless controller/

service platforms managing dependent/independent access points when redundancy is required. The capture and redirection is provided by one of the controllers in the cluster that is operating as the designated forwarder for the tunneled VLAN. The cluster can be configured as active/active or active/standby as required. If using this option, ensure a non-resolvable virtual hostname is defined in the captive portal policy which is shared between the controllers in the cluster. hosting-vlan-interface Optional. Configures the VLAN where the client can reach the captive-portal server. This option is available only for the centralized-controller mode.

<0-4096> Specify the VLAN number (0 implies the controller is available on the clients VLAN). Select this option if capture and redirection is provided by the access point that is servicing the captive portal enabled Wireless LAN. This is the default setting. When enabled each remote access point servicing the captive portal enabled WLAN performs the captive portal capture and redirection internally. The WLAN users are mapped to a locally bridged VLAN for which each access point has a Switched Virtual Interface (SVI) defined. The SVI can either have a static or dynamic (DHCP) IPv4 address assigned. The capture, redirection, and presentation of the captive portal pages are performed using the SVI on each access point the wireless device is associated to. centralized-controller

{hosting-vlan-

interface <0-4096>}

self Example rfs6000-81742D(config-captive-portal-test)#server host 172.16.10.9 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Resets or disables captive portal host and mode settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 122 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.20 simultaneous-users captive-portal-mode commands Specifies the number of users (client MAC addresses) that can simultaneously logon to the captive portal. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax simultaneous-users <1-8192>

Parameters simultaneous-users <1-8192>

simultaneous-users

<1-8192>

Specifies the number of MAC addresses that can simultaneously access the captive portal

<1-8192> Select a number from 1 - 8192. Example rfs6000-81742D(config-captive-portal-test)#simultaneous-users 5 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 rfs6000-81742D(config-captive-portal-test)#

Related Commands no Resets or disables captive portal commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 123 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.21 terms-agreement captive-portal-mode commands Enforces the user to agree to terms and conditions (included in the login page) for captive portal access. This feature is disabled by default. When enabled, the system enforces a previously registered user to re-confirm the terms of agreement, on successive log ins, only if the interval between the last log out and the current log in exceeds the agreement-refresh timeout configured in the WLAN context. For more information on configuring the agreement-refresh timeout value, see registration. For example:

If the agreement-refresh timeout is set at 20 minutes, the following two possibilities can arise:

The interval between logging out and re-logging exceeds 20 minutes - in which case the user is served the Terms of Agreement page on successful authentication. The interval between logging out and re-logging is less than 20 minutes - in which case the user is provided direct Internet access. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terms-agreement Parameters None Example rfs6000-81742D(config-captive-portal-test)#terms-agreement rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement rfs6000-81742D(config-captive-portal-test)#

Related Commands no Resets or disables captive portal commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 124 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.22 use captive-portal-mode commands Configures a AAA policy and DNS whitelist with this captive portal policy. AAA policies are used to configure authentication and accounting servers for this captive portal. DNS whitelists restrict users to a set of configurable domains on the Internet. For more information on AAA policies, see AAA-POLICY. For more information on DNS whitelists, see dns-whitelist. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]

Parameters use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]

aaa-policy

<AAA-POLICY-

NAME>

dns-whitelist

<DNS-WHITELIST-

NAME>

Associates a AAA policy with this captive portal. AAA policies validate user credentials and provide captive portal access to the network.

<AAA-POLICY-NAME> Specify the AAA policy name. Associates a DNS whitelist to use with this captive portal. A DNS whitelist defines a set of allowed destination IP addresses. DNS whitelists restrict captive portal access.

<DNS-WHITELIST-NAME> Specify the DNS whitelist name. To effectively host captive portal pages on an external Web server, the IP address of the destination Web server(s) should be added to the DNS whitelist. Example rfs6000-81742D(config-captive-portal-test)#use aaa-policy test rfs6000-81742D(config-captive-portal-test)#use dns-whitelist test rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement use aaa-policy test use dns-whitelist test rfs6000-81742D(config-captive-portal-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 125 GLOBAL CONFIGURATION COMMANDS Related Commands no dns-whitelist aaa-policy Removes a DNS Whitelist or a AAA policy from the captive portal Configures a DNS whitelist Configures a AAA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 126 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.23 webpage captive-portal-mode commands Use this command to define the appearance and flow of Web pages requesting clients encounter when accessing a controller, service platform, or access point managed captive portal. Define whether the Web pages are maintained locally or externally to the managing device as well as messages displayed requesting clients. Configures Web pages displayed when interacting with a captive portal. These pages are:

acknowledgment This page displays details for the user to acknowledge agreement This page displays Terms and Conditions that a user accepts before allowed access to the captive portal. fail This page is displayed when the user is not authenticated. login This page is displayed when the user connects to the captive portal. It fetches login credentials from the user. no-service This page is displayed when a captive portal user is unable to access the captive portal due to unavailability of critical services. registration This page is displayed when users are redirected to a Web page where they have to register in the captive portals database. welcome This page is displayed to welcome an authenticated user to the captive portal. These Web pages, which interact with captive portal users, can be located either on the controller or an external location. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage [external|internal]

webpage external [acknowledgment|agreement|fail|login {post}|no-service|

registration|welcome] <URL>

webpage internal [acknowledgment|agreement|fail|login|no-service|org-name|

org-signature|registration|welcome]

webpage internal [acknowledgment|agreement|fail|login|no-service|registration|

welcome] [description|footer|header|title] <CONTENT>

webpage internal [acknowledgment|agreement|fail|login|no-service|registration|

welcome] [body-background-color|body-font-color|org-background-color|org-font-

color] <WORD>

webpage internal [acknowledgment|agreement|fail|login|no-service|registration|

welcome] [main-logo use-as-banner|small-logo] <URL>

webpage internal registration field [age-range|city|country|custom|disclaimer|

dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] type

[checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable {label

<LINE>|mandatory|title <LINE>|placeholder <LINE>}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 127 GLOBAL CONFIGURATION COMMANDS webpage internal welcome use-external-success-url webpage internal [org-name|org-signature] <LINE>

Parameters webpage external [acknowledgment|agreement|fail|login {post}|no-service|

registration|welcome] <URL>

external acknowledgment agreement fail login {post}

no-service registration welcome Indicates Web pages being served are hosted on an external (to the captive portal) server resource Indicates the page is displayed for user acknowledgment of details. Users are redirected to this page to acknowledge information provided. Indicates the page is displayed for Terms & Conditions The agreement page provides conditions that must be agreed to before captive portal access is permitted. Indicates the page is displayed for login failure The fail page asserts authentication attempt has failed, the user is not allowed to access the Internet (using this captive portal) and must provide the correct login information again to access the Internet. Indicates the page is displayed for getting user credentials. This page is displayed by default. post Optional. Redirects users to post externally during authentication The login page prompts the user for a username and password to access the captive portal and proceed to either the agreement page (if used) or the welcome page. Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The no-service page asserts the captive portal service is temporarily unavailable due to technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal. The possible scenarios are:

The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:

External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring For more information on enabling these critical resource monitoring, see service. Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page

(registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated The welcome page asserts a user has logged in successfully and can access the captive portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 128 GLOBAL CONFIGURATION COMMANDS

<URL>

This parameter is common to all of the above mentioned Web pages, and specifies the Web page URL. The Web page is retrieved and served from the specified external location. The URL can include following query tags:

'WING_TAG_CLIENT_IP' - Captive portal client IPv4 address

'WING_TAG_CLIENT_MAC' - Captive portal client MAC address

'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid

'WING_TAG_AP_MAC' - Captive portal client AP MAC address

'WING_TAG_AP_NAME' - Captive portal client AP Name

'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain

'WING_TAG_CP_SERVER' - Captive portal server address

'WING_TAG_USERNAME' - Captive portal authentication username Example:

http://cportal.com/policy/login.html?client_ip=WING_TAG_CLIENT_IP&ap_m c=WING_TAG_AP_MAC. Use '&' or '?' character to separate field-value pair. Enter 'ctrl-v' followed by '?' to configure query string. webpage internal [acknowledgment|agreement|fail|login|no-service|

registration|welcome] [description|footer|header|title] <CONTENT>

internal acknowledgment agreement fail login no-service Indicates the Web pages are hosted on an internal server resource. This is the default setting. Indicates the Web page is displayed for users to acknowledge the information provided Indicates the page is displayed for Terms & Conditions Indicates the page is displayed for login failure Indicates the page is displayed for entering user credentials Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:

The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:

External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring AP to controller connectivity monitoring For more information on enabling these critical resource monitoring, see service. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 129 GLOBAL CONFIGURATION COMMANDS registration welcome description footer header title

<CONTENT>

Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page

(registration.html) upon association to a captive portal SSID, where previously, not-

registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated Indicates the content is the description portion of each of the following internal Web pages: acknowledgment, agreement, fail, login, no-service, and welcome Indicates the content is the footer portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The footer portion contains the signature of the organization that hosts the captive portal. Indicates the content is the header portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The header portion contains the heading information for each of these pages. Indicates the content is the title of each of the following internal Web pages:

acknowledgment, agreement, fail, no-service, and welcome page. The title for each of these pages is configured here. The following keyword is common to all of the above internal Web page options:

<CONTENT> Specify the content displayed for each of the different components of the internal Web page. Enter up to 900 characters for the description and 256 characters each for header, footer, and title. webpage internal [acknowledgment|agreement|fail|login|no-service|registration|

welcome] [main-logo use-as-banner|small-logo] <URL>

internal agreement acknowledgment fail login no-service Indicates the Web pages are hosted on an internal server resource Indicates the page is displayed for Terms & Conditions Indicates the Web page is displayed for users to acknowledge the information provided Indicates the page is displayed for login failure Indicates the page is displayed for user credentials Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:

The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:

External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring AP to controller connectivity monitoring For more information on enabling these critical resource monitoring, see wlan. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 130 GLOBAL CONFIGURATION COMMANDS registration welcome main-logo use-as-banner small-logo

<URL>

Indicates the page displayed is the registration page to which users are redirected in order to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page

(registration.html) upon association to a captive portal SSID, where previously, not-

registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated The following keyword is common to all of the above internal Web page options:

main-logo Indicates the main logo displayed in the header of each Web page use-as-banner Uses the image, specified here, as the Web page banner, in place of the logo and organization name The following keyword is common to all of the above internal Web page options:

small-logo Indicates the logo image displayed in the footer of each Web page, and constitutes the organizations signature This parameter is common to the main-logo and small-logo keywords and provides the complete URL from where the main-logo and small-logo files are loaded and subsequently cached on the system.

<URL> Specify the location and name of the main-logo and the small-logo image files. webpage internal registration field [age-range|city|country|custom|

disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|

zip] type [checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable

{label <LINE>|mandatory|title <LINE>|placeholder <LINE>}

internal registration field [age-range|

city|country|

custom <WORD >|

disclaimer|]

Indicates the Web pages are hosted on an internal server resource Allows you to customize the user registration page. Select this option if the captive-

portals access-type is set to registration. Use the field and type options to define the input fields (for example, age-range, city, email, etc.) and the field type (for example, text, checkbox, dropdown-menu, radio-button, etc.) Guest users are redirected to an internally (or) externally hosted registration page

(registration.html) upon association to a captive portal SSID, where previously, not-

registered guest users can register. If the registration Web page is not customized, the built-in, default registration page is displayed to the client. Configures the captive portals registration page fields Following are the available fields and the field type for each:

age-range Creates the age-range input field (enabled by default and included in the built-in registration page) dropdown-menu Configures the age-range field as a drop-down menu radio-button Configures the age-range field as a radio button menu city Creates the postal address: city name input field (enabled by default and included in the built-in registration page) text Configures the city field as only alpha-numeric and special characters input field Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 131 field [dob|email|

gender|member|

mobile|name|optout|

street|via-email|

via-sms|zip]

GLOBAL CONFIGURATION COMMANDS country Creates the postal address: country name input field (disabled by default) text Configures the country field as only alpha-numeric and special characters in-

put field custom <WORD> Creates a customized field (as per your requirement). Use the custom option to create a field not included in the built-in list.

<WORD> Provide a name for the field. On the registration page, the field is dis-

played under the name specified here. disclaimer Creates clients disclaimer-confirmation input field (disabled by default) checkbox Configures the disclaimer field as a check box dob Creates the clients date of birth (DoB) input field (disabled by default) date Configures the DoB field as only date-format input field dropdown-menu Configures the DoB field as a drop-down menu text Configures the DoB field as only alpha-numeric and special characters input field email Creates the e-mail address input field (enabled by default and included in the built-in registration page) e-address Configures the e-mail field as only e-mail address format input field gender Creates clients gender input field (disabled by default) dropdown-menu Configures the gender field as a drop-down menu radio-button Configures the gender field as a radio button menu member Creates clients loyalty or captive-portal membership card number input field (disabled by default) number Configures the member field as only-numeric characters input field text Configures the member field as only alpha-numeric and special characters input field mobile Creates the mobile number input field (enabled by default and included in the built-in registration page) number Configures the mobile field as only-numeric characters input field text Configures the mobile field as only alpha-numeric and special characters in-

put field name Creates the client name input field (enabled by default and included in the built-in registration page) text Configures the name field as only alpha-numeric and special characters input field optout Creates an input field that enables clients to opt out from registering checkbox Configures the optout field as a check box street Creates the postal address: street name/number input field (enabled by default and included in the built-in registration page) text Configures the street field as only alpha-numeric and special characters input field via-email Creates the clients preferred mode of communication as e-mail input field

(enabled by default and included in the built-in registration page) checkbox Configures the via-email field as a check box via-sms Creates the clients preferred mode of communication as SMS input field

(enabled by default and included in the built-in registration page) checkbox Configures the via-sms field as a check box Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 132 GLOBAL CONFIGURATION COMMANDS type [checkbox|

date|

dropdown-menu|

e-address|number|

radio-button|text]

enable

{label <LINE>|

mandatory|

title <LINE>|

placeholder <LINE>}

zip Creates the postal address: zip input field (enabled by default and included in the built-in registration page) number Configures the zip field as only-numeric characters input field text Configures the zip field as only alpha-numeric and special characters input field After specifying the field, configure the field type. The options displayed depend on the field selected in the previous step. These options are: checkbox, date, dropdown-

menu, e-address, number, radio-button, and text. checkbox Configures the field as a check box date Configures the field as only date-format input field dropdown-menu Configures the field as a drop-down menu e-address Configures the field as an e-mail address input field number Configures the field as only-numeric characters input field radio-button Configures the field as a radio button text Configures the field as only alpha-numeric and special characters input field Some of the fields can have more than one field type options. For example, the field zip can either be a numerical field or a text. Select the one best suited for your captive-portal. Enables the field. When enabled, the field is displayed on the registration page. After enabling the field, optionally configure the following parameters:

label <LINE> Optional. Configures the fields label mandatory Optional. Makes the field mandatory title Optional. Configures the comma-separated list of items to include in the drop-

down menu. placeholder <LINE> Optional. Configures a string, not exceeding 300 characters, that is displayed within the field. If not configured, the field remains blank. webpage internal welcome use-external-success-url internal welcome use-external-success-

url Indicates the Web pages are hosted on an internal server resource Indicates the page is displayed after a user has been successfully authenticated When configured, redirects the user, on successful authentication, to an externally hosted success URL from the locally-hosted landing page. Use the webpage > external > welcome > <URL> command to specify the location of the Welcome page. webpage internal [org-name|org-signature] <LINE>

internal org-name org-signature

<LINE>

Indicates the Web pages are hosted on an internal server resource Specifies the companys name, included on Web pages along with the main image Specifies the companys signature information, included in the bottom of Web pages along with a small image Specify the companys name or signature depending on the option selected. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 133 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81701D(config-captive-portal-guest)#webpage external welcome http://

192.168.9.46/welcome.html rfs6000-81701D(config-captive-portal-guest)#show context captive-portal guest webpage external welcome http://192.168.9.46/welcome.html rfs6000-81701D(config-captive-portal-guest)#

nx9500-6C8809(config-captive-portal-register)#webpage internal registration field age-range type dropdown-menu enable mandatory title 10-20,20-30,30-40,50-60,60-70 nx9500-6C8809(config-captive-portal-register)#show context include-factory |

include age-range webpage internal registration field age-range type dropdown-menu enable mandatory label "Age Range" title "10-20,20-30,30-40,50-60,60-70"

nx9500-6C8809(config-captive-portal-register)#

In the following examples, the background and font colors have been customized for the captive portals login page. Similar customizations can be applied to the acknowledgement, agreement, fail, welcome, no-service, and registration captive portal pages. rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-background-color #E7F0EB rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-font-color #EF68A7 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-background-color #EFE4E9 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-font-color #BA4A21 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show context captive-portal cap-enhanced-policy webpage internal login org-background-color #EFE4E9 webpage internal login org-font-color #BA4A21 webpage internal login body-background-color #E7F0EB webpage internal login body-font-color #EF68A7 rfs6000-81701D(config-captive-portal-ca-enhanced-policy)#

The following examples configure a scenario where a successfully authenticated user is redirected to an externally hosted Welcome page from the internal landing page. rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage external welcome http://192.168.13.10/WelcomePage.html rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal welcome use-external-success-url rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show context captive-portal cap-enhanced-policy webpage external welcome http://192.168.13.10/WelcomePage.html webpage internal acknowledgement org-background-color #33ff88 webpage internal acknowledgement org-font-color #bb6622 webpage internal acknowledgement body-background-color #22aa11 webpage internal acknowledgement body-font-color #bb6622 webpage internal welcome use-external-success-url rfs6000-81701D(config-captive-portal-ca-enhanced-policy)#

Related Commands no Resets or disables captive portal configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 134 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.24 webpage-auto-upload captive-portal-mode commands Enables automatic upload of advanced Web pages to requesting clients on association. Enable this option if the webpage-location is selected as advanced. For more information, see webpage-location. If this feature is enabled, access points shall request for Web pages from the controller during adoption. If the controller has a different set of Web pages, than the ones existing on the access points, the controller shall distribute the Web pages uploaded on it to the access points. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage-auto-upload Parameters None Example rfs6000-81742D(config-captive-portal-test)#webpage-auto-upload rfs6000-81742D(config-captive-portal-test)#show context captive-portal test webpage-auto-upload logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#

Related Commands no webpage webpage-location Disables automatic upload of advanced Web pages on a captive portal Configures Web pages displayed when interacting with a captive portal Specifies the location of the Web pages used for authentication Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 135 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.25 webpage-location captive-portal-mode commands Specifies the location of the Web pages used for authentication. These pages can either be hosted on the system or on an external Web server. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage-location [advanced|external|internal]

Parameters webpage-location [advanced|external|internal]

advanced external internal Uses Web pages for login, welcome, failure, and terms created and stored on the controller. Select advanced to use a custom-developed directory full of Web page content that can be copied in and out of the controller, service platform, or access point. If selecting advanced, enable the webpage-auto-upload option to automatically launch the advanced pages to requesting clients upon association. For more information, see webpage-auto-upload. Uses Web pages for login, welcome, failure, and terms located on an external server. Provide the URL for each of these pages. Uses Web pages for login, welcome, and failure that are automatically generated Example rfs6000-81742D(config-captive-portal-test)#webpage-location external rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement webpage-location external use aaa-policy test rfs6000-81742D(config-captive-portal-test)#

Related Commands no webpage webpage-auto-

upload Resets or disables captive portal Web page settings Configures a captive portals Web page (acknowledgment, agreement, login, welcome, fail, no-service, and terms) settings Enables an automatic upload of advanced Web pages on a captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 136 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.26 welcome-back captive-portal-mode commands Enables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins. When enabled, a registered captive-portal guest user, on subsequent logins, is served the Acknowledgement page only if:

The agreement-refresh option is enabled for device-based (device and device-OTP) registration, and The interval between logout and login is lesser than the agreement-refresh timeout configured in the WLAN context. If this interval exceeds the agreement-refresh timeout, the user is served the Agreement page. For more information on configuring the agreement-refresh timeout value, see registration. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax welcome-back pass-through Parameters welcome-back pass-through welcome-back pass-through Enables display of the Acknowledgement page to an already registered user on subsequent captive-portal log-ins, provided the interval between logout and login is lesser than the agreement-refresh timeout pass-through Provides user direct Internet access, from the Welcome-back page, without any user action Example nx9500-6C8809(config-captive-portal-test)#show context captive-portal test welcome-back pass-through webpage internal registration field city type text enable label "City" placeholder

"Enter City"

webpage internal registration field street type text enable label "Address"

placeholder "123 Any Street"

webpage internal registration field name type text enable label "Full Name"

placeholder "Enter First Name, Last Name"

webpage internal registration field zip type number enable label "Zip" placeholder

"Zip"

webpage internal registration field via-sms type checkbox enable title "SMS Preferred"

webpage internal registration field mobile type number enable label "Mobile"

placeholder "Mobile Number with Country code"

webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"

webpage internal registration field email type e-address enable mandatory label

"Email" placeholder "you@domain.com"

webpage internal registration field via-email type checkbox enable title "Email Preferred"

nx9500-6C8809(config-captive-portal-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 137 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 138 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.27 configuring device registration with dynamic VLAN assignment captive-portal-mode commands This section provides the configurations required to enable device registration with dynamic VLAN assignment in a multi-vendor environment. 1 Create vendor-specific RADIUS user groups and assign an allowed VLAN to each group, as shown in the following examples:

nx9500-6C8809(config)#radius-group Apple nx9500-6C8809(config-radius-group-Apple)#policy vlan 200 nx9500-6C8809(config)#radius-group Samsung nx9500-6C8809(config-radius-group-Samsung)#policy vlan 100 nx9500-6C8809(config)#radius-group Devices nx9500-6C8809(config-radius-group-Devices)#policy vlan 1 Note, if necessary, configure the session-time for each of the above configured RADIUS group. This is the duration for which a RADIUS group clients session remains active after successful authentication. Upon expiration, the RADIUS session is terminated. Use the policy > session-time > <5-144000> command to specify the session-time. 2 Create a RADIUS user pool, add users to the pool, and assign the users to the vendor-specific user groups: as shown in the following examples:

nx9500-6C8809(config)#radius-user-pool-policy Vendor-Devices nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user Samsung password 0 samsung group Samsung nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user test password 0 test123 group Apple 3 Create a RADIUS server policy, and associate the RADIUS groups and user pool created in steps 1 and 2 respectively, as shown in the following examples:

nx9500-6C8809(config)#radius-server-policy Guest-Radius nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-user-pool-

policy Vendor-Devices nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Samsung nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Sony nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Apple 4 Create an AAA Policy, on the controller, and configure the authentication server as self, as shown in the following example:

nx9500-6C8809(config)#aaa-policy OnBoard-NX nx9500-6C8809(config-aaa-policy-OnBoard-NX)#authentication server 1 onboard controller nx9500-6C8809(config-aaa-policy-OnBoard-NX)#show context aaa-policy OnBoard-NX authentication server 1 onboard self nx9500-6C8809(config-aaa-policy-OnBoard-NX)#

5 Create a captive-portal, and point to the captive-portals server, enable RADIUS VLAN assignment, and associate the AAA policy, as shown in the following examples:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 139 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config)#captive-portal DeviceRegistration nx9500-6C8809(config-captive-portal-DeviceRegistration)#server host captive.extremenoc.com nx9500-6C8809(config-captive-portal-DeviceRegistration)#radius-vlan-

assignment nx9500-6C8809(config-captive-portal-DeviceRegistration)#use aaa-policy OnBoard-NX nx9500-6C8809(config-captive-portal-DeviceRegistration)#access-type radius 6 Configure a WLAN and enable RADIUS VLAN assignment, as shown in the following examples:

nx9500-6C8809(config)#wlan CP-OnBoarding nx9500-6C8809(config-wlan-CP-OnBoarding)#ssid CP-OnBoarding nx9500-6C8809(config-wlan-CP-OnBoarding)#radius vlan-assignment nx9500-6C8809(config-wlan-CP-OnBoarding)#use aaa-policy OnBoard-NX nx9500-6C8809(config-wlan-CP-OnBoarding)#use captive-portal DeviceRegistration nx9500-6C8809(config-wlan-CP-OnBoarding)#captive-portal-enforcement fall-back nx9500-6C8809(config-wlan-CP-OnBoarding)#registration device group-name Devices expiry-time 4320 nx9500-6C8809(config-wlan-CP-OnBoarding)#authentication-type mac assign the WLAN to the AP radio, as shown in the following examples:

7 Create an access point profile, associate the RADIUS server policy, captive-portal policy to it, and also nx9500-6C8809(config-profile-SITE-10)#use radius-server-policy Guest-Radius nx9500-6C8809(config-profile-SITE-10)#use captive-portal server DeviceRegistration nx9500-6C8809(config-profile-SITE-10-if-radio2)#wlan CP-OnBoarding bss 1 primary nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport mode trunk nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk native vlan 90 nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk allowed vlan 1,90,1000-1002 nx9500-6C8809(config-profile-SITE-10-if-ge1)#no switchport trunk native tagged 8 Use the access point profile in the access points device context. Related Commands Documents RADIUS server policy configuration commands Documents RADIUS group policy configuration commands radius-server-policy radius-group radius-user-pool-policy Documents RADIUS user policy configuration commands aaa-policy captive portal wlan Profile Config Commands guest-registration Documents AAA policy configuration commands Documents captive-portal configuration commands Documents WLAN configuration commands Documents profile configuration commands Documents show > guest-registration command and outputs. Use this command to view guest registration statistics once device-registration is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 140 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.28 configuring WeChat Wi-Fi hotspot support in WiNG captive portal captive-portal-mode commands WeChat is a popular messaging app used in China with more than 500 million installations. WeChats WiFi hotspot solution allows businesses to provide Internet access to their customers. The WiNG captive portal can be configured to incorporate the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server. This section provides an example that shows the configurations required to be made on the WiNG portal to enable WeChat Wi-Fi hotspot. 1 Create an AAA policy re-directing the WiNG captive portal user to WeChats AAA server for authentication, as shown in the following example:

nx9500-6C8809(config)#aaa-policy cloud2 nx9500-6C8809(config-aaa-policy-cloud2)#authentication server 1 host cloud2.synchroweb.com secret 0 firmware nx9500-6C8809(config-aaa-policy-cloud2)#show context aaa-policy cloud2 authentication server 1 host cloud2.synchroweb.com secret 0 firmware nx9500-6C8809(config-aaa-policy-cloud2)#

Note, Synchroweb is an independent software vendor (ISV), whose third-party software is being used as the intermediate server. The AAA server and RADIUS accounting server configured in AAA policy must be as per the specification provided by the ISV. 2 Create a DNS whitelist, whitelisting WeChats server name in order to initiate RADIUS authentication. The qq.com domain name is where WeChat server can be reached. nx9500-6C8809(config)#dns-whitelist wxWL nx9500-6C8809(config-dns-whitelist-wxWL)#permit cloud2.synchroweb.com nx9500-6C8809(config-dns-whitelist-wxWL)#permit qq.com suffix nx9500-6C8809(config-dns-whitelist-wxWL)#show context dns-whitelist wxWL permit qq.com suffix permit cloud2.synchroweb.com nx9500-6C8809(config-dns-whitelist-wxWL)#

3 Create a captive portal and associate the AAA policy and DNS whitelist created in steps 1 & 2, as shown in the following example:

nx9500-6C8809(config)#captive-portal wxCP nx9500-6C8809(config-captive-portal-wxCP)#use aaa-policy cloud2 nx9500-6C8809(config-captive-portal-wxCP)#use dns-whitelist wxWL 4 Configure the following captive portal parameters:

nx9500-6C8809(config)#captive-portal wxCP nx9500-6C8809(config-captive-portal-wxCP)#access-time 10 nx9500-6C8809(config-captive-portal-wxCP)#server host guest.extreme.com nx9500-6C8809(config-captive-portal-wxCP)#webpage-location external nx9500-6C8809(config-captive-portal-wxCP)#webpage external login http://

cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 141 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-captive-portal-wxCP)#)#show context captive-portal wxCP access-time 10 server host guest.extreme.com webpage-location external webpage external login http://cloud2.synchroweb.com/wechat.nx/

index.phpc=WING_TAG_CLIENT_MAC use aaa-policy cloud2 use dns-whitelist wxWL

--More--

nx9500-6C8809(config-captive-portal-wxCP)#

Note, the login URL configured here must be as per the specifications provided by the ISV. Note, the access-type remains unchanged (i.e radius, which is the default setting). The access-time is set to a minimum value (10 minutes in this example) in order to avoid the default value of 24 hours being applied, in case the RADIUS response does not contain the session-timeout attribute. 5 Create a WLAN and associate the captive portal created in step 3:

nx9500-6C8809(config)#wlan wxOpen nx9500-6C8809(config-wlan-wxOpen)#ssid wxOpen nx9500-6C8809(config-wlan-wxOpen)#vlan 200 nx9500-6C8809(config-wlan-wxOpen)##use captive-portal wxCP nx9500-6C8809(config-wlan-wxOpen)#captive-portal-enforcement nx9500-6C8809(config-wlan-wxOpen)#show context wlan wxOpen ssid wxOpen vlan 200 bridging-mode local encryption-type none authentication-type none use captive-portal wxCP captive-portal-enforcement nx9500-6C8809(config-wlan-wxOpen)#

Note, the modes of authentication and encryption remain unchanged (i.e none, which is the default setting for both parameters). Ensure captive-portal-

enforcement is enabled on the WLAN. Related Commands AAA-POLICY dns-whitelist captive portal wlan Documents AAA policy configuration mode commands Documents DNS whitelist configuration mode commands Documents captive portal configuration mode commands Documents WLAN configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 142 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.29 configuring ExtremeGuest captive-portal captive-portal-mode commands This section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC adopting the access points. The EGuest server and database can be hosted only on the VX9000 platform. In the following example, the EGuest server and database are hosted on the same device. 1 On the EGuest server/database host, a enable the EGuest daemon. When enabled, the EGuset server is up and running. EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server b apply a database-policy to enable the EGuest database. EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default c configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members device or profile context). EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt 2 On the NOC, a create an AAA policy with the following configurations:

- Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server. NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123 NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123

- Configure the proxy-mode as through-controller. When configured, all requests to the server are proxied through the NOC. NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-

controller NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-

controller NOC(config-aaa-policy-EguestAAA)#show context aaa-policy EguestAAA accounting server 1 host EG-OnBServer secret 0 extreme123 accounting server 1 proxy-mode through-controller authentication server 1 host EG-Server secret 0 extreme123 authentication server 1 proxy-mode through-controller NOC(config-aaa-policy-EguestAAA)#

b Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.

- Configure the following permit rules:

NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 143 GLOBAL CONFIGURATION COMMANDS NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com c Create a captive-portal with the following configurations:

- Specify the captive-portal server. NOC(config-captive-portal-EguestCP)#server host guest.extreme.com

- Use the AAA policy created in Step 2 a. NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA

- Enable social-media authentication. This setting is optional. NOC(config-captive-portal-EguestCP)#oauth

- Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal. NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS

- Configure the webpage-location as advanced. Note, webpage-location should be advanced if using pages created with EGuest splash templates. NOC(config-captive-portal-EguestCP)#webpage-location advanced d Create a WLAN policy with the following configurations:

- Enable MAC authentication. NOC(config-wlan-EguestWLAN)#authentication-type mac

- Use the AAA policy created in Step 2 a. NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA

--When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration >

external > follow-aaa option is configured on the WLAN. See below. NOC(config-wlan-EguestWLAN)#registration external follow-aaa

--This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.

- Use the captive-portal created in Step 2 c. NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP

- Enable captive-portal enforcement with fall-back. NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back

- Configure the following guest registration parameters:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 144 GLOBAL CONFIGURATION COMMANDS NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440

--This is the RADIUS group assigned to registered users post authentication. NOC(config-wlan-EguestWLAN)#show context wlan EguestWLAN ssid _EXTREME-GUEST-NRF2017 vlan 1 bridging-mode local encryption-type none authentication-type mac no answer-broadcast-probes no client-client-communication wireless-client hold-time 300 use aaa-policy EguestAAA use captive-portal EguestCP captive-portal-enforcement fall-back registration device group-name Eguest expiry-time 4320 agreement-refresh 1440 registration external follow-aaa mac-authentication cached-credentials NOC(config-wlan-EguestWLAN)#

e In the NOCs self context, configure the EGuest server. NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https 3 In the Access Points device or profile context, a Use the captive-portal configured in Step 2 c. Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP 4 To view EGuest registration status and statistics, on the EGuest server, use the following commands:

EG-Server-DB#show eguest registration statistics EG-Server-DB#show eguest registration status 5 To clear EGuest registration statistics, on the EGuest server, use the following command:

EG-Server-DB#clear eguest registration statistics Related Commands eguest-server (VX9000 only) AAA-POLICY dns-whitelist captive portal wlan eguest Documents the eguest-server command. When used in the EGuest servers device/profile context, without the host option, it enables the EGuest daemon. When used on the NOC along with the host option, it points to the EGuest server. Documents AAA policy configuration commands Documents DNS-whitelist configuration commands Documents captive-portal configuration commands Documents WLAN configuration commands Documents the show > eguest command outputs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 145 GLOBAL CONFIGURATION COMMANDS 4.1.32 clear Global Configuration Commands Clears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where executed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clear event-history Parameters clear event-history event-history Clears the event history file Example rfs4000-880DA7(config)#show event-history EVENT HISTORY REPORT Generated on '2017-06-09 14:23:31 IST' by 'admin'

2017-06-09 14:16:28 rfs4000-880DA7 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

2017-06-09 14:06:21 rfs4000-880DA7 DEVICE OFFLINE Device B4-C7-

99-71-17-28(ap8132-711728) is offline, last seen:10 minutes ago on switchport ap7522-8330A4:ge1 2017-06-09 13:46:15 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration revision updated to 10 from 9 2017-06-09 13:36:12 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration revision updated to 9 from 8 2017-06-09 13:26:09 rfs4000-880DA7 SYSTEM CONFIG_COMMIT Configuration commit by user 'cfgd' (site apply config diff) from '127.0.0.1'

2017-06-09 13:16:06 rfs4000-880DA7 DEVICE UNADOPTED Device('ap8132-

711728'/'ap81xx'/B4-C7-99-71-17-28) at rf-domain:'TechPubs' unadopted. Radios:

Count=2, Bss: B4-C7-99-78-53-10|B4-C7-99-78-53-70|

2017-06-09 13:10:047 ap8132-711728 SYSTEM WARM_START System Warm Start Reason : Upgrade done, reloading... (user: system @ rfs4000-880DA7) Timestamp: Nov 04 11:32:27 2016 2017-06-09 13:06:03 rfs4000-880DA7 DEVICE DEVICE_UPGRADE_REBOOT DEVICEUPGRADE:

ap81xx mac B4-C7-99-71-17-28 Device upgrade rebooting

--More--

rfs4000-880DA7(config)#

rfs4000-880DA7(config)#clear event-history rfs4000-880DA7(config)#show event-history EVENT HISTORY REPORT Generated on '2017-06-09 14:27:05 IST' by 'admin'

rfs4000-880DA7(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 146 GLOBAL CONFIGURATION COMMANDS 4.1.33 client-identity Global Configuration Commands With an increase in Bring Your Own Device (BYOD) corporate networks, there is a parallel increase in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the organizations security mechanisms do not extend to these personal devices deployed in the corporate wireless network. Organizations can protect their network by limiting how and what these BYODs can access on and through the corporate network. Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain. Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class. The following table summarizes the commands available for creating and configuring a set of new client identity parameters:

Table 4.12 Client-Identity-Config Commands Description Creates a new client identity and enters its configuration mode Invokes the client identity policy configuration mode commands Reference page 4-148 page 4-150 Creates a new client identity group and enters its configuration mode page 4-156 Command client-identity client-identity-

mode commands client-identity-

group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 147 GLOBAL CONFIGURATION COMMANDS 4.1.33.1 client-identity client-identity Creates a new client identity and enters its configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This information is used to configure permissions and access rules for the identified class of devices in the network. The client-identity feature enables device fingerprinting. Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating from remote computing devices. When enabled, device fingerprinting helps to identify a wireless clients device type. There are two methods of fingerprinting devices: Active and Passive. Active fingerprinting is based on the fact that traffic patterns vary with varying device types. It involves the sending of requests (HTTP, etc.) to devices (clients) and analyzing their response to determine the device type. For example, an invalid request is sent to a device, and its error response is analyzed to identify the device type. Since active device fingerprinting involves sending of packets, the probability of the network getting flooded is very high, especially when many devices are being fingerprinted simultaneously. Passive fingerprinting involves monitoring of devices to check for known traffic patterns specific to devices based on the protocol, driver implementation, etc. This method accurately classifies a clients TCP/IP configuration, OS fingerprints, wireless settings etc. No packets are sent to the device. Some of the commonly used protocols for passive device fingerprinting are, TCP, DHCP, HTTP, etc. This feature implements DHCP device fingerprinting, which relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class. The WiNG software provides a set of built-in device fingerprints that load by default and identify client device types. Use the service > show > client-identity-defaults command to view default client identity fingerprints. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity <CLIENT-IDENTITY-NAME>

Parameters client-identity <CLIENT-IDENTITY-NAME>

client-identity

<CLIENT-IDENTITY-

NAME>

Creates a new client identity policy and enters its configuration mode

<CLIENT-IDENTITY--NAME> Specify a client identity policy name. If the client identity policy does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 148 GLOBAL CONFIGURATION COMMANDS Usage Guidelines The following points should be considered when configuring the client identity (device fingerprinting) feature:

Ensure that DHCP is enforced on the WLANs. For more information on enforcing DHCP on WLANs, see enforce-dhcp. Successful identification of different device types depends on the uniqueness of the configured fingerprints. DHCP fingerprinting identifies clients based on the patterns (fingerprints) in the DHCP discover and request messages sent by clients. If different operating systems have the same fingerprints. it will be difficult to identity the device type. When associating client identities with a role policy, ensure that the profile/device, under which the role policy is being used, also has an associated client identity group (containing all the client identities used by the role policy). Example rfs4000-229D58(config)#client-identity test rfs4000-229D58(config-client-identity-test)#?

Client Identity Mode commands:

dhcp Add a DHCP option based match criteria dhcp-match-message-type Specify DHCP message type to match no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-client-identity-test)#

Use the service > show > client-identity-defaults command to view default, built-in, system-provided client identity fingerprints:

nx9500-6C8809#service show client-identity-defaults client-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1 client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 149 GLOBAL CONFIGURATION COMMANDS 4.1.33.2 client-identity-mode commands client-identity The following table summarizes client identity configuration mode commands:

Table 4.13 Client-Identity-Mode Commands Command dhcp dhcp-match-

message-type no Description Configures the DHCP option match criteria for device fingerprinting Configures the DHCP message type for device fingerprinting Reference page 4-151 page 4-154 Removes the DHCP option (used for client identification) configurations page 4-155 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 150 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.1 dhcp client-identity-mode commands Configures the DHCP option match criteria (signature) for the discover and request message types received from wireless clients When accessing a network, DHCP discover and request messages are passed between wireless clients and the DHCP server. These messages contain DHCP options and option values that differ from device to device and are based on the DHCP implementation in the devices operating system (OS). Options and option values contained in a clients messages are parsed and compared against the configured DHCP option values to identify the device. Once a device type is identified, the wireless client database is updated with the discovered device type. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp <1-16> message-type [discover|request] [option|option-codes]

dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes]

[contains|exact|starts-with] [ascii|hexstring] <WORD>

Parameters dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes]

[contains|exact|starts-with] [ascii|hexstring] <WORD>

dhcp <1-16>

message-type

[discover|request]

option <1-254>

Adds a DHCP option match criteria signature

<1-16> Specify an index for this DHCP match criteria from 1 - 16. A maximum of 16 match criteria can be configured. Specifies the message type to which this DHCP match criteria is applicable discover Applies this match criteria to DHCP discover messages only. Indicates that the fingerprint is only checked with any DHCP discover messages received from any device. request Applies this match criteria to DHCP request messages only. Indicates that the fingerprint is only checked with any DHCP request messages received from any device. It is recommended to configure client-identity with request messages, because clients rarely send discover messages. If the message type is not specified, the fingerprint is checked with all message types

(DHCP request and DHCP discover). The following keywords are common to the discover and request message types:

option Configures a DHCP option value, which is used as the match criteria

<1-254> Configures a code for this DHCP option from 1 - 254 (except option 53) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 151 GLOBAL CONFIGURATION COMMANDS option-codes The following keyword is common to the discover and request message types:

option-codes Matches criteria based on the DHCP option codes contained in the clients discover/request messages Devices pass options in their DHCP discover/request messages as option codes, option types, and option value sets. These option codes are extracted and matched against the configured DHCP option codes and a fingerprint is derived. This derived fingerprint is used to identify the device. The following keyword is common to the discover and request message types:

contains Specifies that the DHCP options received in the clients discover/request messages contains the configured option code string The following keyword is common to the discover and request message types:

exact Specifies that the DHCP options received in the clients discover/request messages is an exact match with the configured option code string The following keyword is common to the discover and request message types:

starts-with Specifies that the DHCP options received in the clients discover/request messages starts with the configured option code string The following keywords are common to the contains, exact, and starts-with parameters:

ascii Configures the DHCP option in the ASCII format

<WORD> Specify the DHCP option ASCII value to match. The following keywords are common to the contains, exact, and starts-with parameters:

hexstring Configures the DHCP option in the hexa-decimal format

<WORD> Specify the DHCP option hexstring value to match. contains exact starts-with ascii <WORD>

hexstring <WORD>

Usage Guidelines The following DHCP options are useful for identifying different device types:

Option 55: Used by a DHCP client to request values for specific configuration parameters. It is a list of DHCP option codes and can be in the clients order of preference. Client configured list of DHCP options (all options parsed into a hex string). Option 60: Vendor class identifier. Used to identify the vendor and functionality of a DHCP client

(some devices do not set the value of this field). Though it is possible to use any option to configure a device fingerprint, the use of a combination of one or more of the preceding options to define a device is recommended. Example rfs4000-229D58(config-client-identity-test)#dhcp 1 message-type request option 60 exact ascii MSFT\5.0 rfs4000-229D58(config-client-identity-test)#dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 rfs4000-229D58(config-client-identity-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 152 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a DHCP option signature (match criteria) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 153 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.2 dhcp-match-message-type client-identity-mode commands Configures the DHCP message type to match Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-match-message-type [all|any|discover|request]

Parameters dhcp-match-message-type [all|any|discover|request]

dhcp-match-

message-type

[all|any|discover|

request]

Specifies the DHCP message type to consider for matching all Matches all message types: discover and request. Indicates that the fingerprint is checked with both the DHCP request and the DHCP discover message. any Matches any message type: discover or request. Indicates that the fingerprint is checked with either the DHCP request or the DHCP discover message. discover Matches discover messages only. Client matches the client identity only if the discover message sent by the client matches. Values configured for request messages are ignored. request Matches request messages only. Client matches the client identity only if the request message sent by the client matches. Values configured for discover messages are ignored. Example rfs4000-229D58(config-client-identity-test)#dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#

Related Commands no Removes the DHCP message type to match Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 154 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.3 no client-identity-mode commands Removes the DHCP options match criteria configurations Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dhcp <1-16>|dhcp-match-message-type]

Parameters no [dhcp <1-16>|dhcp-match-message-type]

dhcp <1-16>

dhcp-match-

message-type Example Removes the DHCP option match criteria rule identified by the <1-16> keyword

<1-16> Specify the DHCP option match criteria rule index Removes the DHCP message type to match The following example shows the client identity test settings before the no commands are executed:

rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#

The following example shows the client identity test settings after the no commands are executed:

rfs4000-229D58(config-client-identity-test)#no dhcp 2 rfs4000-229D58(config-client-identity-test)#no dhcp-match-message-type rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 1 message-type request option 60 exact ascii MSFT5.0 rfs4000-229D58(config-client-identity-test)#

Related Commands dhcp dhcp-match-

message-type Configures the DHCP option match criteria for device fingerprinting Configures the DHCP message type for device fingerprinting Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 155 GLOBAL CONFIGURATION COMMANDS 4.1.34 client-identity-group client-identity The following table summarizes commands available to enter the client identity group configuration mode:

Command client-identity-

group client-identity-

group-mode commands client-identity Table 4.14 Client-Identity-Group Config Commands Description Creates a new client identity group and enters its configuration mode Reference page 4-157 Invokes the client identity group configuration mode commands page 4-158 Creates new client identity policy and enters its configuration mode page 4-147 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 156 GLOBAL CONFIGURATION COMMANDS 4.1.34.1 client-identity-group client-identity-group Configures a new client identity group A client identity group is a collection of client identities. Each client identity included in a client identity group is set a priority value that indicates the priority for that identity when device fingerprinting. Device Fingerprinting relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class. A client identity group can be attached to a profile or device, enabling device fingerprinting on them. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity-group <CLIENT-IDENTITY-GROUP-NAME>

Parameters client-identity-group <CLIENT-IDENTITY-GROUP-NAME>

client-identity-group

<CLIENT-IDENTITY-

GROUP-NAME>

Creates a new client identity group and enters its configuration mode

<CLIENT-IDENTITY-GROUP-NAME> Specify a client identity group name. If the group does not exist, it is created. Example rfs4000-229D58(config)#client-identity-group test rfs4000-229D58(config-client-identity-group-test)#

Client Identity group Mode commands:

client-identity Client identity (DHCP Device Fingerprinting) load Load Client identity Fingerprints no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-client-identity-group-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 157 GLOBAL CONFIGURATION COMMANDS 4.1.34.2 client-identity-group-mode commands client-identity-group The following table summarizes client identity group configuration mode commands:

Table 4.15 Client-Identity-Group-Mode Commands Command client-identity load no Description Associates an existing and configured client identity (device fingerprint) with this client identity group Loads default (system-provided) client identity fingerprints Removes the client identity associated with this client identity group Reference page 4-159 page 4-161 page 4-155 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 158 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.1 client-identity client-identity-group-mode commands Associates an existing and configured client identity (device fingerprint) with this client identity group Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

Parameters client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

client-identity

<CLIENT-IDENTITY-

NAME>

precedence

<1-10000>

Associates a client identity with this group

<CLIENT-IDENTITY-NAME> Specify a client identity name (should be existing and configured) Determines the order in which client identity is used

<1-10000> Specify this client identity precedence from <1-10000>. The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20. Example The following example shows two client identities created and configured:

rfs4000-229D58(config)#show context

!

! Configuration of RFS4000 version 5.9.1.0-029R

!

!

version 2.5

!

!client-identity TestClientIdentity dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f

!client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all

!

client-identity-group ClientIdentityGroup client-identity TestClientIdentity precedence 1

!

client-identity-group test

!

ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

--More--

rfs4000-229D58(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 159 GLOBAL CONFIGURATION COMMANDS The following example associates client identity test with the client identity group test:

rfs4000-229D58(config-client-identity-group-test)#client-identity test precedence 1 The following example shows the client identity group test with two associated client identities having precedence 1 and 2:

rfs4000-229D58(config-client-identity-group-test)#client-identity TestClientIdentity precedence 2 rfs4000-229D58(config-client-identity-group-test)#show context client-identity-group test client-identity test precedence 1 client-identity TestClientIdentity precedence 2 rfs4000-229D58(config-client-identity-group-test)#

Related Commands no Removes the client identity associated with the client identity group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 160 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.2 load client-identity-group-mode commands Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default. The WiNG software provides some built-in client identity fingerprints that are automatically loaded when the client identity group if applied to a device (either directly or through the profile). Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax load default-fingerprints Parameters load default-fingerprints load default-

fingerprints Example Loads client identity default fingerprints. This option is enabled by default. The auto-load default fingerprints option is enabled by default, as shown in the following example:

nx9500-6C8809(config-client-identity-group-test)#show context client-identity-group test load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#

In scenarios where only customized client identities are to be applied, use the no > load > default-

fingerprints command to disable auto-loading of default device fingerprints. nx9500-6C8809(config-client-identity-group-test)#no load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#show context client-identity-group test no load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#

Use the service > show > client-identity-defaults command to view default client identity fingerprints:

nx9500-6C8809#service show client-identity-defaults client-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1 client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 161 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables automatic loading of default client identity fingerprints Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 162 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.3 no client-identity-group-mode commands Removes the client identity associated with the client identity group Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [client-identity|load]

no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

no load default-fingerprints Parameters no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>

no client-identity

<CLIENT-IDENTITY-

NAME>

precedence <1-

10000>

Disassociates a specified client identity from this client identity group

<CLIENT-IDENTITY-NAME> Specify the client identity name. precedence <1-10000> Specify the above specified client identitys precedence value from <1-10000>. The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20. no load default-fingerprints no load default-

fingerprints Disables automatic loading of built-in, system-provided client identity fingerprints Example rfs4000-229D58(config-client-identity-group-test)#show context client-identity-group test client-identity test precedence 1 rfs4000-229D58(config-client-identity-group-test)#

rfs4000-229D58(config-client-identity-group-test)#no client-identity test rfs4000-229D58(config)#

Related Commands client-identity load Associates an existing and configured client identity (device fingerprint) with this client identity group Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 163 GLOBAL CONFIGURATION COMMANDS 4.1.35 clone Global Configuration Commands Creates a replica of an existing object or device. The configuration of the new object or device is an exact copy of the existing object or device configuration. Use this command to copy existing configurations and then modifying only the required parameters. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clone [TLO|device]

clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>

clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>

Parameters clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>

TLO <EXISTING-

OBJECT-NAME>

<NEW-OBJECT-

NAME>

Creates a new TLO by cloning an existing top-level object. The new object has the same configuration as the cloned object.

<EXISTING-OBJECT-NAME> Specify the existing objects (to be cloned) name

<NEW-OBJECT-NAME> Provide the new objects name. Enter clone and press Tab to list objects available for cloning. clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>

device

<EXISTING-DEVICE-

MAC/NAME>

<NEW-DEVICE-

MAC>

Configures a new device based on an existing device configuration

<EXISTING-DEVICE-MAC/NAME> Specify the existing devices name or MAC address (the device to be cloned)

<NEW-DEVICE-MAC> Provide the new devices MAC address. Enter clone > device and press Tab to list devices available for cloning. Example nx9500-6C8809(config)#clone rf_domain TechPubs Cloned_TechPubs2 nx9500-6C8809(config)#show context

!

! Configuration of NX9500 version 5.9.1.0-008B

!

!

version 2.5

!

................................................................................ rf-domain TechPubs location SanJose timezone America/Los_Angeles country-code us

!rf-domain Cloned_TechPubs2 location SanJose

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 164 GLOBAL CONFIGURATION COMMANDS 4.1.36 crypto-cmp-policy Global Configuration Commands Creates a crypto Certificate Management Protocol (CMP) policy and enters its configuration mode Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>

Parameters crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>

<CRYPTO-CMP-

POLICY-NAME>

Specify the crypto CMP policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#crypto-cmp-policy CMP nx9500-6C8809(config-cmp-policy-CMP)#?

CMP Policy Mode commands:

ca-server CMP CA Server configuration commands cert-key-size Set key size for certificate request cert-renewal-timeout Trigger a cert renewal request on timeout cross-cert-validate Validate cross-cert using factory-cert no Negate a command or set its defaults subjectAltName Configure subjectAltName value trustpoint Trustpoint for CMP use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-cmp-policy-CMP)#

Related Commands no Resets values or disables commands NOTE: For more information on the crypto CMP policy, see Chapter 29, CRYPTO-CMP-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 165 GLOBAL CONFIGURATION COMMANDS 4.1.37 customize Global Configuration Commands Customizes the output of the summary CLI commands. Use this command to define the data displayed as a result of various show commands. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax customize [cdp-lldp-info-column-width|hostname-column-width|show-adoption-status|

show-wireless-client|show-wireless-client-stats|show-wireless-client-stats-rf|

show-wireless-meshpoint|show-wireless-meshpoint-accelerated-multicast|

show-wireless-meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf

|show-wireless-mint-client|show-wireless-mint-client-stats|show-wireless-mint-

client-stats-rf|show-wireless-mint-portal|show-wireless-mint-portal-stats|

show-wireless-mint-portal-stats-rf|show-wireless-radio|show-wireless-radio-

stats|show-wireless-radio-stats-rf]

customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>

customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-

status,last-adoption,msgs,uptime,version) customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,bss, enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-

id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan) customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,rx-

packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) customize show-wireless-client-stats-rf (average-retry-number,error-rate,hostname

<1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate) customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-addr, mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac, subscriptions) customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>, interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-

ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-

mpid) customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,neighbor-

hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,t-

index,tx-bytes,tx-dropped,tx-packets,tx-throughput) customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,average-

retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,q-index,rx-

rate,signal,snr,t-index,tx-rate) customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-alias

<1-64>,portal-bss,up-time) customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-

64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-

dropped,tx-packets,tx-throughput) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 166 GLOBAL CONFIGURATION COMMANDS customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias

<1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal, snr,tx-rate) customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-alias

<1-64>,portal-bss,up-time) customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss,portal-

alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-

dropped,tx-packets,tx-throughput) customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias

<1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal, snr,tx-rate) customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>, num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state) customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac, rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets, tx-throughput) customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise, q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate) Parameters customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>

hostname-column-

width <1-64>

cdp-lldp-info-column-

width <1-64>

Configures default width of the hostname column in all show command outputs

<1-64> Sets the hostname column width from 1 - 64 characters Configures the column width in the show > cdp/lldp > [neighbor|report] command output

<1-64> Sets the column width from 1 - 64 characters customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-

status,last-adoption,msgs,uptime,version) show-adoption-status Configures the information displayed in the show > adoption > status command output. Select the columns (information) displayed from the following options:

adopted-by, ap-name, cdp-lldp-info, config-status, last-adoption, msgs, uptime, and version. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Device-Name, Version, Config-Status, MSGS, Adopted-By, Last-Adoption, and Uptime. Where ever available, you can optionally use the <1-64> parameter to set the column width. customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>, bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>, radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan) show-wireless-client ap-name <1-64>

auth Customizes the show > wireless > client command output The columns displayed by default are: MAC, IPv4, Vendor, Radio-ID, WLAN. VLAN, and State. Includes the ap-name column, which displays the name of the AP with which this client associates

<1-64> Sets the ap-name column width from 1 - 64 characters Includes the auth column, which displays the authorization protocol used by the wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 167 GLOBAL CONFIGURATION COMMANDS bss enc location <1-64>

hostname <1-64>

ip last-active client-identity <1-32> Includes the client-identity (device type) column, which displays details gathered from DHCP device fingerprinting feature (when enabled). For more information, see client-

identity.

<1-32> Sets the client-identity column width from 1 - 32 characters Includes the BSS column, which displays the BSS ID the wireless client is associated with Includes the enc column, which displays the encryption suite used by the wireless client Includes the hostname column, which displays the wireless clients hostname

<1-64> Sets the hostname column width from 1 - 64 characters Includes the IP column, which displays the wireless clients current IP address Includes the last-active column, which displays the time of last activity seen from the wireless client Includes the location column, which displays the location of the clients associated access points

<1-64> Sets the location column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the radio-alias column, which displays the radio alias with the AP's hostname and radio interface number in the HOSTNAME:RX format

<3-64> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radio ID with the APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format Includes the radio-type column, which displays the wireless clients radio type Includes the role column, which displays the clients role

<1-32> Sets the role column width from 1 - 32 characters Includes the state column, which displays the wireless clients current availability state Includes the username column, which displays the wireless clients username

<1-64> Specify the username column width from 1 - 64 characters. Includes the vendor column, which displays the wireless clients vendor ID Includes the VLAN column, which displays the wireless clients assigned VLAN Includes the WLAN column, which displays the wireless clients assigned WLAN mac radio-alias <3-67>

state username <1-64>

vendor vlan wlan radio-type role <1-32>

radio-id customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors, rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-client-

stats hostname <1-64>

mac rx-bytes Customizes the show > wireless > client > statistics command output The columns displayed by default are: MAC, Tx bytes, RX bytes, Tx pkts, Rx pkts, and Tx bps, RX bps, T-Index, and Dropped pkts. Includes the hostname column, which displays the wireless clients hostname

<1-64> Sets the hostname column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the rx-bytes column, which displays the total number of bytes received by the wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 168 GLOBAL CONFIGURATION COMMANDS rx-errors rx-packets rx-throughput t-index tx-bytes tx-dropped tx-packets tx-throughput Includes the rx-error column, which displays the total number of errors received by the wireless client Includes the rx-packets column, which displays the total number of packets received by the wireless client Includes the rx-throughput column, which displays the receive throughput at the wireless client Includes the t-index column, which displays the traffic utilization index at the particular wireless client Includes the tx-bytes column, which displays the total number of bytes transmitted by the wireless client Includes the tx-dropped column, which displays the total number of dropped packets by the wireless client Includes the tx-packets column, which displays the total number of packets transmitted by the wireless client Includes the tx-throughput column, which displays the transmission throughput at the wireless client customize show-wireless-client-stats-rf (average-retry-number,error-rate,host-

name <1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate) show-wireless-client-

stats-rf average-retry-

number error-rate hostname <1-64>

mac noise q-index rx-rate signal snr tx-rate Customizes the show > wireless > client > statistics > rf command output The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), TX Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Includes the average-retry-number column, which displays the average number of retransmissions made per packet Includes the error-rate column, which displays the rate of error for the wireless client Includes the hostname column, which displays the wireless clients hostname

<1-64> Sets the hostname column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the noise column, which displays the noise (in dBm) as detected by the wireless client Includes the q-index column, which displays the RF quality index Higher values indicate better RF quality. Includes the rx-rate column, which displays the receive rate at the particular wireless client Includes the signal column, which displays the signal strength (in dBm) at the particular wireless client Includes the snr column, which displays the signal to noise (SNR) ratio (in dB) at the particular wireless client Includes the tx-rate column, which displays the packet transmission rate at the particular wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 169 GLOBAL CONFIGURATION COMMANDS customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-

addr,mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac, subscriptions) show-wireless-

meshpoint-

accelerated-multicast Configures the information displayed in the show > wireless > meshpoint >

accelerated multicast command output. Select the columns (information) displayed from the following options: ap-hostname, group-addr, mesh-name, neighbor-

hostname, neighbor-ifid, radio-alias, radio-id, radio-mac, subscriptions. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Mesh, Radio, Neighbor-IFID, Neighbor-

Hostname, Group-MAC, and Subscriptions. customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>, interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-

ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-

mpid) show-wireless-

meshpoint Customizes the show > wireless > meshpoint command output The columns displayed by default are: Mesh, Hostname, Hops, Is-Root, Config-As-Root, Root-Hostname, Root-Bound-Time, Path-Metric, Next-Hop-Hostname, and Next-Hop-

Use-Time. Includes the ap-mac column, which displays the APs MAC address in the AA-BB-CC-

DD-EE-FF format. Applicable only in case of non-controller meshpoints Includes the cfg-as-root column, which displays the configured root state of the meshpoint Includes the hops column, which displays the number of hops to the root for this meshpoint Includes the hostname column, which displays the APs hostname. Applicable only in case of non-wireless controller meshpoints

<1-64> Sets the hostname column width from 1 - 64 characters Includes the interface-ids column, which displays the interface identifiers (interfaces used by this meshpoint) Includes the is-root column, which displays the current root state of the meshpoint Includes the mesh-name column, which displays the meshpoints name

<1-64> Sets the mesh-name column width from 1 - 64 characters Includes the mpid column, which displays the meshpoint identifier in the AA-BB-CC-

DD-EE-FF format Includes the next-hop-hostname column, which displays the next-hop APs name (the AP next in the path to the bound root)

<1-64> Sets the next-hop-hostname column width from 1 - 64 characters Includes the next-hop-ifid column, which displays the next-hop interface identifier in the AA-BB-CC-DD-EE-FF format Includes the next-hop-use-time column, which displays the time since this meshpoint started using this next hop Includes the root-bound-time column, which displays the time since this meshpoint has been bound to the current root ap-mac cfg-as-root hops hostname <1-64>

interface-ids is-root mesh-name <1-64>

mpid next-hop-hostname

<1-64>

next-hop-ifid next-hop-use-time root-bound-time Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 170 GLOBAL CONFIGURATION COMMANDS root-hostname <1-

64>

root-mpid Includes the root-hostname column, which displays the root APs hostname to which this meshpoint is bound

<1-64> Sets the root-hostname column width from 1 - 64 characters Includes the root-mpid column, which displays the bound root meshpoint identifier in the AA-BB-CC-DD-EE-FF format customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>, neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-

throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-

meshpoint-neighbor-

stats ap-name <1-64>

neighbor-hostname

<1-64>

neighbor-ifid rx-bytes rx-errors rx-packets rx-throughput t-index tx-bytes tx-dropped tx-packets tx-throughput Customizes the show > wireless > meshpoint > neighbor > statistics command output The columns displayed by default are: AP Hostname, Neighbor-IFID, TX bytes, RX bytes, Tx pkts, Rx pkts, Tx (bps), Rx (bps), T-Index (%), and Dropped pkts. Includes the ap-name column, which displays name of the AP reporting a neighbor

<1-64> Sets the ap-name column width from 1 - 64 characters Includes the neighbor-hostname column, which displays the reported neighbors hostname

<1-64> Sets the neighbor-hostname column width from 1 - 64 characters Includes the neighbor-ifid column, which displays the neighbors interface ID Includes the rx-bytes column, which displays the total bytes received Includes the rx-error column, which displays the total bytes of error received Includes the rx-packets column, which displays the number of packets received Includes the rx-throughput column, which displays neighbors received throughput Includes the t-index column, which displays the traffic utilization index at the neighbor end Includes the tx-bytes column, which displays the total bytes transmitted Includes the tx-dropped column, which displays the total bytes dropped Includes the tx-packets column, which displays the number of packets transmitted Includes the tx-throughput column, which displays neighbors transmitted throughput customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>, average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise, q-index,rx-rate,signal,snr,t-index,tx-rate) show-wireless-

meshpoint-neighbor-

stats-rf ap-name <1-64>

average-retry-

number error-rate neighbor-hostname

<1-64>

Customizes the show > wireless > meshpoint > neighbor > statistics > rf command output The columns displayed by default are: AP Hostname, Neighbor-IFID, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Includes the ap-name column, which displays name of the AP reporting a neighbor

<1-64> Sets the ap-name column width from 1 - 64 characters Includes the average-retry-number column, which displays the average number of retransmissions made per packet. Includes the error-rate column Includes the neighbor-hostname, which displays reported neighbors hostname

<1-64> Sets the neighbor-hostname column width from 1 - 64 characters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 171 GLOBAL CONFIGURATION COMMANDS noise q-index rx-rate signal snr t-index tx-rate Includes the noise column, which displays the noise level in dBm Includes the q-index column, which displays the q-index Includes the rx-rate column, which displays rate of receiving Includes the signal column, which displays the signal strength in dBm Includes the snr column, which displays the signal-to-noise ratio Includes the t-index column, which displays t-index Includes the tx-rate column, which displays rate of transmission customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-

alias <1-64>,portal-bss,up-time) show-wireless-mint-

client Configures the information displayed in the show > wireless > mint > client command output. Select the columns (information) displayed from the following options: client-

alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Client-Radio-

MAC, and Up-Time. customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-

64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes, tx-dropped,tx-packets,tx-throughput) show-wireless-mint-

client-stats Configures the information displayed in the show > wireless > mint > client > statistics command output. Select the columns (information) displayed from the following options: client-alias, portal-alias, portal-bss, rx-bytes, rx-errors, rx-packets, rx-

throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts. Where ever available, you can optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias

<1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal, snr,tx-rate) show-wireless-mint-

client-stats-rf Configures the information displayed in the show > wireless > mint > client > statistics

> rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, error-rate, noise, portal-alias, portal-bss, q-

index, rx-rate, signal, snr, and tx-rate. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), Tx-

Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Where ever available, you can optionally use the <1-64> parameter to set the column width. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 172 GLOBAL CONFIGURATION COMMANDS customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-

alias <1-64>,portal-bss,up-time) show-wireless-mint-

portal Configures the information displayed in the show > wireless > mint > portal command output. Select the columns (information) displayed from the following options: client-

alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Portal-Radio-

MAC, and Up-Time. Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss, portal-alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index, tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-mint-

portal-stats Configures the information displayed in the show > wireless > mint > portal >

statistics command output. Select the columns (information) displayed from the following options: client-alias, client-bss, portal-alias, rx-bytes, rx-errors, rx-packets, rx-throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts. Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias

<1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal, snr,tx-rate) show-wireless-mint-

portal-stats-rf Configures the information displayed in the show > wireless > mint > portal >

statistics > rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, client-bss, error-rate, noise, portal-alias, q-index, rx-rate, signal, snr, tx-rate. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>, num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state) show-wireless-radio adopt-to ap-name <1-64>

channel location <1-64>

num-clients Customizes the show wireless radio command output Includes the adopt-to column, which displays information about the wireless controller adopting this AP Includes the ap-name column, which displays information about the AP this radio belongs

<1-64> Sets the ap-name column width from 1 - 64 characters Includes the channel column, which displays information about the configured and current channel for this radio Includes the location column, which displays the location of the AP this radio belongs

<1-64> Sets the location column width from 1 - 64 characters Includes the num-clients column, which displays the number of clients associated with this radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 173 GLOBAL CONFIGURATION COMMANDS power radio-alias <3-67>

radio-id radio-mac rf-mode state Includes the power column, which displays the radios configured and current transmit power Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX formate)

<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rf-mode column, which displays the radios operating mode. The radio mode can be 2.4 GHz, 5.0 GHz, or sensor. Includes the state column, which displays the radios current operational state customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac, rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets, tx-throughput) show-wireless-radio-

stats radio-alias <3-67>

radio-id radio-mac rx-bytes rx-errors rx-packets rx-throughput tx-bytes tx-dropped tx-packets tx-throughput Customizes the show wireless radio statistics command output Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX format)

<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rx-bytes column, which displays the total number of bytes received by the radio Includes the rx-error column, which displays the total number of errors received by the radio Includes the rx-packets column, which displays the total number of packets received by the radio Includes the rx-throughput column, which displays the receive throughput at the radio Includes the tx-bytes column, which displays the total number of bytes transmitted by the radio Includes the tx-dropped column, which displays the total number of packets dropped by the radio Includes the tx-packets column, which displays the total number of packets transmitted by the radio Includes the tx-throughput column, which displays the transmission throughput at the radio customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise, q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate) show-wireless-radio-

stats-rf average-retry-number Customizes the show wireless radio stats RF command output Includes the average-retry-number column, which displays the average number of retransmissions per packet Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 174 GLOBAL CONFIGURATION COMMANDS error-rate noise q-index radio-alias <3-67>

radio-id radio-mac rx-rate signal snr t-index tx-rate Example Includes the error-rate column, which displays the rate of error for the radio Includes the noise column, which displays the noise detected by the radio Includes the q-index column, which displays the RF quality index Higher values indicate better RF quality. Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX format)

<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rx-rate column, which displays the receive rate at the particular radio Includes the signal column, which displays the signal strength at the particular radio Includes the snr column, which displays the signal-to-noise ratio at the particular radio Includes the t-index column, which displays the traffic utilization index at the particular radio Includes the tx-rate column, which displays the packet transmission rate at the particular radio The following example shows the shows the show > adoption > status command output before customizing the output:

rfs6000-81742D#show adoption status Adopted by:

Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 4 days 22:38:32 ago Adopted Devices:

--------------------------------------------------------------------------------

-------------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-

ADOPTION UPTIME

--------------------------------------------------------------------------------

-------------------------------

ap7532-A2A56C 5.9.0.0-010D *configured No rfs6000-81742D 4 days 22:25:56 4 days 22:31:23

--------------------------------------------------------------------------------

--------------------------------

Total number of devices displayed: 1 rfs6000-81742D#

rfs6000-81742D(config)#customize show-adoption-status adopted-by ap-name config-

status last-adoption rfs6000-81742D(config)#commit The following example shows the shows the show > adoption > status command output after customizing the output:

rfs6000-81742D#show adoption status Adopted by:

Type : nx9000 System Name : nx9500-6C8809 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 175 GLOBAL CONFIGURATION COMMANDS MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time Adopted Devices:

------------------------------------------------------------------------

ADOPTED-BY DEVICE-NAME CFG-STAT LAST-ADOPTION

------------------------------------------------------------------------

rfs6000-81742D ap7532-A2A56C *configured 4 days 22:25:56

------------------------------------------------------------------------

Total number of devices displayed: 1 rfs6000-81742D(config)#

Use the no > customize > show-adoption-status command to revert back to the default format. rfs6000-81742D(config)#no customize show-adoption-status rfs6000-81742D(config)#commit rfs6000-81742D#show adoption status Adopted by:

Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 4 days 22:38:32 ago Adopted Devices:

--------------------------------------------------------------------------------

-------------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-

ADOPTION UPTIME

--------------------------------------------------------------------------------

-------------------------------

ap7532-A2A56C 5.9.0.0-010D *configured No rfs6000-81742D 4 days 22:25:56 4 days 22:31:23

--------------------------------------------------------------------------------

--------------------------------

Total number of devices displayed: 1 rfs6000-81742D#

Related Commands no wireless (show commands) Restores custom CLI settings to default Displays wireless configuration and other information Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 176 GLOBAL CONFIGURATION COMMANDS 4.1.38 database-client-policy Global Configuration Commands The following table summarizes the config database client policy commands:

Table 4.16 Database-Client-Policy Config Commands Description Reference Command database-client-policy Creates a database-client policy and enters its configuration mode page 4-178 database-client-

page 4-180 policy-mode commands Summarizes the database client policy mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 177 GLOBAL CONFIGURATION COMMANDS 4.1.38.1 database-client-policy database-client-policy Creates a database-client-policy and enters its configuration mode. The database-client-policy configures the IP address or hostname of the database host, and is used on the NSight/EGuest servers device cortext. However, the database-client-policy is required only in a split deployment, where the server and database are hosted on separate boxes. In such a scenario, the database-client-policy enables the server to identify the database host. If enforcing database authentication, configure the user-name and password required to access the database on the database-client-policy. For more information on enabling database authentication, see database. Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000 Syntax database-client-policy <DATABASE-CLIENT-POLICY-NAME>

Parameters database-client-policy <DATABASE-CLIENT-POLICY-NAME>

database-policy

<DATABASE-CLIENT-

POLICY-NAME>

Specify the database-client-policy name. If the policy does not exist, it is created. Once created and configured, use this policy in the NSight/EGuest servers device context. Example vx9000-34B78B(config)#database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#?

Database Client Policy Mode commands:

authentication Database authentication database-server Add database server no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

To setup a database/server environment, with the database and the server hosted n separate hosts:

1 On the database host, use the database policy. This brings up the database server. 2 On the NSight/EGuest server, create the database-client-policy, and configure the database hosts IP address or hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 178 GLOBAL CONFIGURATION COMMANDS vx9000-34B78B(config)#database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

3 Use this database-client-policy in the NSight/EGuest servers device configuration context. Once applied, the server posts details to the database specified in the policy. vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#use database-client-policy DBClientPolicy vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#show context include-factory |

include database-client-policy use database-client-policy DBClientPolicy vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#

Related Commands no database-policy nsight-policy use (profile/device context) database Removes an existing database-client-policy Documents database policy configuration commands. If enforcing authenticated database access, use this command to enable authentication on the database and configure the username and password. Documents NSight policy configuration commands. The NSight policy is a tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database. Uses a database-client-policy in the VX9000s device or profile context Drops or repairs a database. Also provides database keyfile management capabilities. If enforcing authenticated access to the database, use this command to generate, export, import, and zerzoise the keyfile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 179 GLOBAL CONFIGURATION COMMANDS 4.1.38.2 database-client-policy-mode commands database-client-policy The following table summarizes database-client-policy configuration mode commands:

Table 4.17 Database-Client-Policy-Config-Mode Commands Command authentication database-server no Description Configures the captive-portal/NSight database users Configures the database hosts IP address or hostname. Use this command to configure the IP address or hostname of the VM hosting the database. Removes the database hosts IP/hostname configuration Reference page 4-181 page 4-182 page 4-183 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 180 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.1 authentication database-client-policy-mode commands Configures the databases username and password Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000 Syntax authentication username <USER-NAME> password <PASSWORD>

Parameters authentication username <USER-NAME> password <PASSWORD>

authentication username <USER-

NAME> password

<PASSWORD>

Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information on creating database users, see service. username <USER-NAME> Configures the user name password <PASSWORD> Configures the password for the username specified above. However, ensure database authentication is enabled in the database-policy. For more information on database-policy, see database-policy. For more information on enabling database authentication, see database Example vx9000-65672(config-database-client-policy-DBClientPolicy)# authentication username extreme password 2 test@12345 vx9000-656725#show running-config database-client-policy replica-set database-client-policy replica-set database-server 13.13.13.3 database-server 14.14.14.2 authentication username extreme password 2 q4cUyedmA4BFsn1kg/

xjCQAAAAliMbdrXKblQbsyrwMGdVzv vx9000-656725#

Related Commands no Removes an existing database username and password Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 181 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.2 database-server database-client-policy-mode commands Configures the IPv4/IPv6 address or hostname of the VM hosting the database Supported in the following platforms:

Service Platforms VX9000 Syntax database-server [<IP>|<HOSTNAME>|<IPv6>]

Parameters database-server [<IP>|<HOSTNAME>|<IPv6>]

database-server

[<IP>|<HOSTNAME>|<

IPv6>]

Identifies the database host using one of the following options:

<IP> Specifies the hosts IPv4 address

<HOSTNAME> Specifies the hosts hostname

<IPv6> Specifies the hosts IPv6 address. Example vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

Related Commands no Removes the database servers (the VM hosting the database) IP/hostname configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 182 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.3 no database-client-policy-mode commands Removes the database hosts IP/hostname configuration Supported in the following platforms:

Service Platforms VX9000 Syntax no [authentication|database-server]

no authentication username <USER-NAME>

no database-server [<IP>|<HOST-NAME>|<IPv6>]

Parameters no [authentication|database-server]

no database-server Removes the database VMs IPv4/Ipv6 address or hostname associated with this database client policy. Also removes database user details. Example vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

vx9000-34B78B(config-database-client-policy-DBClientPolicy)#no database-server vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 183 GLOBAL CONFIGURATION COMMANDS 4.1.39 database-policy Global Configuration Commands The following table summarizes the config database policy commands:

Table 4.18 Database-Policy Config Commands Command database-policy database-policy-

mode commands Description Creates a database policy and enters its configuration mode Lists database policy configuration mode commands Reference page 4-185 page 4-186 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 184 GLOBAL CONFIGURATION COMMANDS 4.1.39.1 database-policy database-policy Creates a database-policy and enters its configuration mode. After creating the database-policy, use it on the database host. This enables the database. If deploying a database replica-set, use this command to define the replica set configurations. To enforce database authentication, enable authentication on the database-policy, and configure the username and password required to access the database. Note, this command is part of a set of configurations that are required to enable authentication. For more information on the entire set of configurations, see database. Supported in the following platforms:

Service Platforms NX9500, NX9510, VX9000 Syntax database-policy <DATABASE-POLICY-NAME>

Parameters database-policy <DATABASE-POLICY-NAME>

database-policy

<DATABASE-POLICY-

NAME>

Specify the database policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config-database-policy-test)#?

Database Policy Mode commands:

authentication Database authentication no Negate a command or set its defaults replica-set Replica Set shutdown Disable database server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-database-policy-test)#

Related Commands no Removes an existing database policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 185 GLOBAL CONFIGURATION COMMANDS 4.1.39.2 database-policy-mode commands database-policy The following table summarizes database-policy configuration mode commands:

Table 4.19 Database-Policy-Config-Mode Commands Command authentication replica-set shutdown no Description Enables database authentication and configures the username and password required to access the database Adds a member to a database replica set Shuts down the database server Removes a member from the database replica set Reference page 4-187 page 4-188 page 4-190 page 4-191 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 186 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.1 authentication database-policy-mode commands Enables database authentication. When enabled and applied on the database host, this policy enforces authenticated access to the database. This command also configures the username and password required to access the database. Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000 Syntax authentication authentication username <USER-NAME> password <PASSWORD>

Parameters authentication authentication Enables database authentication on this database-policy. When executed without the associated keywords, the command enables authentication on the database host using the policy. Execute the command along with the username and password inputs to configure the user credentials required for access the database. authentication username <USER-NAME> password <PASSWORD>

authentication username <USER-

NAME> password

<PASSWORD>

Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information, see service. username <USER-NAME> Configures the database username password <PASSWORD> Configures the password for the username specified above Users using these credentials are allowed database access. In case of a split NSight/

EGuest deployment, ensure that the database-client-policy running on the NSight/

EGuest server has the same user details configured. For information on creating database-client-policy, see database-client-policy For more information on enabling database authentication, see database. Example nx9500-6C8809(config-database-policy-test)#authentication nx9500-6C8809(config-database-policy-test)#no shutdown nx9500-6C8809(config-database-policy-test)#authentication username user1 password uesr@123 nx9500-6C8809(config-database-policy-test)#show context database-policy test authentication authentication username user1 password 2 f20/dTjYiMnR/tqbGFaO5gAAAAjL/

xo8clisk1TZjimo128t nx9500-6C8809(config-database-policy-test)#

Related Commands no Disables database authentication, and removes the username and password configuration. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 187 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.2 replica-set database-policy-mode commands Adds a member to a database replica set. A replica-set is a group of devices (replica-set members) running the database instances that maintain the same data set. Replica sets provide redundancy and high availability and are the basis for all production deployments. The replica set usually consists of: an arbiter, a primary member, and one or more secondary members. The primary member and the secondary member(s) maintain replicas of the data set. Before deploying a replica set, ensure that each of the replica-set member:

has the DB instances installed, and is able to communicate with every other member in the set. After ensuring the above, Create a database policy (with identical replica-set configuration) on each of the member devices, and Use the database policy in the member devices configuration mode. These member devices elect a primary member, which begins accepting client-write operations. Remaining devices in the replica-set, with the exception of the arbiter, are designated as secondary members. Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}

Parameters replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}

replica-set member

[<IP>|<FQDN>]

{arbiter|priority <0-

255>}

Adds a member to the database replica set. To identify the member, use one of the following options:

<IP> Specify the members IP address.

<FQDN> Specify the members Fully Qualified Domain Name (FQDN). After specifying the IP address or FQDN, specify the following:

arbiter Optional. Select to configure the member as the arbiter. priority <0-255> Optional. Configures the priority of a non-arbiter member of the replica set

<0-255> Specify the priority from 0 - 255. This value determines the members position within the replica set as primary or secondary. It also helps in electing the fall-back primary member in the eventuality of the current primary member being unreachable. A replica set should have at least three members. The maximum number of members can go up to fifty (50). However, configuring a three-member replica set is recommended. Replica sets should have odd number of members. In case of an even-

numbered replica set, add an arbiter to make the member count odd. This ensures that at least one member gets a majority vote in the primary-member election. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 188 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.14 arbiter nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.12 priority 2 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#

Related Commands no Removes a member from the database replica set Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 189 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.3 shutdown database-policy-mode commands Shuts down the database server. The factory default is set as no shutdown. Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax shutdown Parameters None Example nx9500-6C8809(config-database-policy-test)#shutdown nx9500-6C8809(config-database-policy-test)#show context database-policy test shutdown nx9500-6C8809(config-database-policy-test)#

Related Commands no Enables the database server Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 190 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.4 no database-policy-mode commands Removes or reverts the database policy settings to default values Supported in the following platforms:

Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax no [authentication|replica-set|shutdown]

no authentication {username <USER-NAME>}

no replica-set member [<IP>|<FQDN>]

no shutdown Parameters no <PARAMETERS>

no <PARAMETERS>

Removes a member from the database replica set, or brings up a database server that is down. Also disables database authentication and removes user Example The following example shows a three-member replica set:

nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#

In the following example the arbiter is being removed, leaving the replica set with only two members:

nx9500-6C8809(config-database-policy-test)#no replica-set member 192.168.13.14 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#

Since a replica set must have at least three members, another member must be added to this replica set. This member may or may not be an arbiter. nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.8 priority 3 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1 replica-set member 192.168.13.8 priority 3 nx9500-6C8809(config-database-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 191 GLOBAL CONFIGURATION COMMANDS 4.1.40 device Global Configuration Commands Enables simultaneous configuration of multiple devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device {containing|filter}

device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|

ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|

vx9000]}

device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|

ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}

Parameters device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|

ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|

vx9000]}

device Enters a devices configuration mode. Use this command to simultaneously configure devices having similar configuration. containing <STRING> Optional. Configures the string to search for in the devices hostname. All devices filter type

<DEVICE-TYPE>

having hostnames containing the string specified here are filtered, and can be configured simultaneously.

<STRING> Specify the string to search for in the devices hostname. Optional. Filters out a specific device type. After specifying the hostname string, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC). The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms. The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms. device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|

ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}

device Configures a basic device profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 192 GLOBAL CONFIGURATION COMMANDS filter type

<DEVICE-TYPE>

Optional. Filters out a specific device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC). The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms. The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms. Example rfs6000-81742D(config)#device filter type ap7532 rfs6000-81742D(config-device-{'type': 'ap7532'})#

Related Commands no Removes multiple devices from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 193 GLOBAL CONFIGURATION COMMANDS 4.1.41 device-categorization Global Configuration Commands Categorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network. The following table summarizes the device categorization mode commands:

Table 4.20 Device-Categorization Config Command Command device-categorization Creates a device categorization list and enters its configuration Description device-categorization-

mode commands mode Summarizes device categorization list configuration mode commands Reference page 4-195 page 4-196 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 194 GLOBAL CONFIGURATION COMMANDS 4.1.41.1 device-categorization device-categorization Configures a device categorization list Proper classification and categorization of devices (access points, clients, etc.) helps suppress unnecessary unauthorized access point alarms, allowing network administrators to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization. Authorized access points and clients are generally known to you and conform with your organizations security policies. Unauthorized devices are those detected as interoperating within the network, but are not approved. These devices should be filtered to avoid jeopardizing the data within a managed network. Use this command to apply the neighboring and sanctioned (approved) filters on peer devices operating within a wireless controller or access points radio coverage area. Detected client MAC addresses can also be filtered based on their classification. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>

Parameters device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>

<DEVICE-

CATEGORIZATION-

LIST-NAME>

Specify the device categorization list name. If a list with the same name does not exist, it is created. Example rfs6000-81742D(config)#device-categorization rfs6000 rfs6000-81742D(config-device-categorization-rfs6000)#?

Device Category Mode commands:

mark-device Add a device no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-device-categorization-rfs6000)#

Related Commands no Removes an existing device categorization list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 195 GLOBAL CONFIGURATION COMMANDS 4.1.41.2 device-categorization-mode commands device-categorization The following table summarizes device categorization configuration mode commands:

Table 4.21 Device-Categorization-Mode Commands Command mark-device no Description Adds a device to the device categorization list Removes a device from the device categorization list Reference page 4-197 page 4-199 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 196 GLOBAL CONFIGURATION COMMANDS 4.1.41.2.1 mark-device device-categorization-mode commands Adds a device to the device categorization list as sanctioned or neighboring. Devices are further classified as AP or client. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mark-device <1-1000> [sanctioned|neighboring] [ap|client]

mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac

<MAC>}}

mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}

Parameters mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac

<MAC>}}

<1-1000>

sanctioned neighboring ap

{mac <MAC>|

ssid <SSID>}

Configures the device categorization entry index number Marks a device as sanctioned. A sanctioned device is authorized to use network resources. Marks a device as neighboring. A neighboring device is a neighbor in the same network as this device. Marks a specified AP as sanctioned or neighboring based on its MAC address or SSID mac <MAC> Optional. Specify the APs MAC address ssid <SSID> Optional. Specify the APs SSID. After specifying the SSID, you can optionally specify its MAC SSID. All APs are marked if no specific MAC address or SSID is provided.

<1-1000>

sanctioned neighboring mark-device [sanctioned|neighboring] client {mac <MAC>}

Configures the device categorization entry index number Marks the wireless client as sanctioned. A sanctioned device is authorized to use network resources. Marks the wireless client as neighboring. A neighboring device is a neighbor in the same network as this device. client {mac <MAC>} Marks a specified wireless client as sanctioned or neighboring based on its MAC address mac <MAC> Optional. Specify the wireless clients MAC address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 197 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-device-categorization-rfs6000)#mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#

Related Commands no Removes an entry from the device categorization list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 198 GLOBAL CONFIGURATION COMMANDS 4.1.41.2.2 no device-categorization-mode commands Removes a device from the device categorization list Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no mark-device <1-1000> [neighboring|sanctioned] [ap|client]

no mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}

no mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac

<MAC>}}

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes a mark device (AP or wireless client) entry from this device categorization list Example The following example shows the device categorization list rfs6000 settings before the no command is executed:

rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#

rfs6000-81742D(config-device-categorization-rfs6000)#no mark-device 1 sanctioned ap mac 11-22-33-44-55-66 The following example shows the device categorization list rfs6000 settings after the no command is executed:

rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 rfs6000-81742D(config-device-categorization-rfs6000)#

Related Commands mark-device Adds a device to a list of sanctioned or neighboring devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 199 GLOBAL CONFIGURATION COMMANDS 4.1.42 dhcp-server-policy Global Configuration Commands Configures DHCPv4 server policy parameters, such as class, address range, and options. A new policy is created if it does not exist. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-server-policy <DHCP-SERVER-POLICY-NAME>

Parameters dhcp-server-policy <DHCP-SERVER-POLICY-NAME>

<DHCP-SERVER-

POLICY-NAME>

Specify the DHCPv4 server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#dhcp-server-policy test rfs6000-81742D(config-dhcp-policy-test)#?

DHCP policy Mode commands:

bootp BOOTP specific configuration dhcp-class Configure DHCP class (for address allocation using DHCP user-class options) dhcp-pool Configure DHCP server address pool dhcp-server Activating dhcp server based on criteria no Negate a command or set its defaults option Define DHCP server option ping Specify ping parameters used by DHCP Server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dhcp-policy-test)#

Related Commands no Removes an existing DHCP server policy NOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 200 GLOBAL CONFIGURATION COMMANDS 4.1.43 dhcpv6-server-policy Global Configuration Commands Creates a DHCPv6 server policy and enters its configuration mode DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non-duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool. When configured and applied to a device, the DHCPv6 server policy enables the device to function as a stateless DHCPv6 server. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>

Parameters dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>

<DHCPv6-SERVER-

POLICY-NAME>

Specify the DHCPv6 server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config-dhcpv6-server-policy-test)#?

DHCPv6 server policy Mode commands:

dhcpv6-pool Configure DHCPV6 server address pool no Negate a command or set its defaults option Define DHCPv6 server option restrict-vendor-options Restrict vendor specific options to be sent in server reply server-preference Server preference value sent in the reply, by the server to client clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dhcpv6-server-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 201 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing DHCPv6 server policy NOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 202 GLOBAL CONFIGURATION COMMANDS 4.1.44 dns-whitelist Global Configuration Commands Configures a DNS whitelist. A DNS whitelist is a list of domains allowed access to the network. The following table lists DNS Whitelist configuration mode commands:

Table 4.22 DNS-Whitelist Config Commands Command dns-whitelist dns-whitelist-mode commands Description Creates a DNS whitelist and enters its configuration mode Summarizes DNS whitelist configuration mode commands Reference page 4-204 page 4-205 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 203 GLOBAL CONFIGURATION COMMANDS 4.1.44.1 dns-whitelist dns-whitelist Configures a DNS whitelist. A DNS whitelist is a list of allowed DNS destination IP addresses pre-approved to access a controller, service platform, or access point managed captive portal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-whitelist <DNS-WHITELIST-NAME>

Parameters dns-whitelist <DNS-WHITELIST-NAME>

<DNS-WHITELIST-

NAME>

Specify the DNS whitelist name. If the whitelist does not exist, it is created. Example rfs6000-81742D(config)#dns-whitelist test rfs6000-81742D(config-dns-whitelist-test)#?

DNS Whitelist Mode commands:

no Negate a command or set its defaults permit Match a host clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dns-whitelist-test)#

Related Commands no Removes an existing DNS Whitelist Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 204 GLOBAL CONFIGURATION COMMANDS 4.1.44.2 dns-whitelist-mode commands dns-whitelist The following table summarizes DNS Whitelist configuration mode commands:

Table 4.23 DNS-Whitelist-Mode Commands Command permit no Description Permits a host, existing on a DNS whitelist, access to the network or captive portal Negates a command or reverts to default Reference page 4-206 page 4-207 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 205 GLOBAL CONFIGURATION COMMANDS 4.1.44.2.1 permit dns-whitelist-mode commands A whitelist is a list of host names and IP addresses permitted access to the network or captive portal. This command adds a host or destination IP address to the DNS whitelist. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit <IPv4/IPv6/HOSTNAME> {suffix}

Parameters permit <IPv4/IPv6/HOSTNAME> {suffix}

<IPv4/IPv6/

HOSTNAME>

Adds a device to the DNS whitelist

<IPv4/IPv6/HOSTNAME> Provide a hostname or numerical IPv4 or IPv6 address for each destination IP address or host included in the whitelist. suffix Example A maximum of 256 entries can be made. Optional. Matches any hostname or domain name including the specified name as suffix rfs6000-81742D(config-dns-whitelist-test)#permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#

Related Commands no Removes a DNS whitelist entry Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 206 GLOBAL CONFIGURATION COMMANDS 4.1.44.2.2 no dns-whitelist-mode commands Removes a specified host or IP address from the DNS whitelist, and prevents it from accessing network resources Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no permit <IPv4/IPv6/HOSTNAME>

Parameters no permit <IPv4/IPv6/HOSTNAME>

<IPv4/IPv6/

HOSTNAME>

Removes a device from the DNS whitelist (identifies the device by its IP address or hostname)

<IPv4/IPv6/HOSTNAME> Specify the devices IPv4/IPv6 address or hostname. Example rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#

rfs6000-81742D(config-dns-whitelist-test)#no permit example_company.com rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test rfs6000-81742D(config-dns-whitelist-test)#

Related Commands permit Adds a device to the DNS whitelist Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 207 GLOBAL CONFIGURATION COMMANDS 4.1.45 end Global Configuration Commands Ends and exits the current mode and moves to the PRIV EXEC mode The prompt changes to the PRIV EXEC mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax end Parameters None Example rfs4000-229D58(config)#end rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 208 GLOBAL CONFIGURATION COMMANDS 4.1.46 event-system-policy Global Configuration Commands The following table lists event system configuration mode commands:

Table 4.24 Event-System-Policy Config Command Command event-system-

policy event-system-

policy-mode commands Description Creates an event system policy and enters its configuration mode Reference page 4-210 Summarizes event system policy configuration mode commands page 4-211 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 209 GLOBAL CONFIGURATION COMMANDS 4.1.46.1 event-system-policy event-system-policy Configures a system wide events handling policy Event system policies enable administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication or encryption, and performance events. Once policies are defined, they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices. To view an existing event system policy configuration details, use the show > event-system-policy command. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax event-system-policy <EVENT-SYSTEM-POLICY-NAME>

Parameters event-system-policy <EVENT-SYSTEM-POLICY-NAME>

<EVENT-SYSTEM-

POLICY-NAME>

Specify the event system policy name. If the policy does not exist, it is created. Example rfs6000-81701D(config)#event-system-policy event-testpolicy rfs6000-81701D(config-event-system-policy-event-testpolicy)#?

Event System Policy Mode commands:

event Configure an event no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81701D(config-event-system-policy-event-testpolicy)#

Related Commands no Removes an event system policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 210 GLOBAL CONFIGURATION COMMANDS 4.1.46.2 event-system-policy-mode commands event-system-policy The following table summarizes event system policy configuration mode commands:

Table 4.25 Event-System-Policy Mode Commands Command event no Description Configures an event Negates a command or reverts to default Reference page 4-212 page 4-225 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 211 GLOBAL CONFIGURATION COMMANDS 4.1.46.2.1 event event-system-policy-mode commands Configures an event and sets the action performed when the event happens Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog)

[default|on|off]

The event types are:

rfs6000-81742D(config-event-system-policy-testpolicy)#event ?

aaa AAA/Radius module adapt Adaptivity Module adopt-service Adoption Service adv-wips Adv-wips module ap Access Point module bt Bluetooth captive-portal Captive Portal cdp Cisco Discovery Protocol certmgr Certificate Manager (Not valid for NCAP/MCN) cfgd Cfgd module cluster Cluster module crm Critical Resource Monitoring database Database Services device Device module dhcpsvr DHCP Configuration Daemon diag Diag module dot11 802.11 management module dot1x 802.1X Authentication fwu Firmware update module isdn Isdn module l2gre Layer 2 GRE Tunnel l2tpv3 Layer 2 Tunneling Protocol Version 3 licmgr License module lldp Link Layer Discovery Protocol mesh Mesh module mgmt Management Services nsm Network Services Module pm Process-monitor module radconf Radius Configuration Daemon rasst Roaming-Assist module radio Radio module smrt Smart-rf module smtpnot Smtpnot module system System module test Test module vrrp Virtual Router Redundancy Protocol webf Webf module wips Wireless IPS module rfs6000-81742D(config-event-system-policy-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 212 GLOBAL CONFIGURATION COMMANDS NOTE: The parameter values for <EVENT-TYPE> and <EVENT-NAME> are summarized in the table under the Parameters section. Parameters event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog)

[default|on|off]

<event-type>

aaa adapt adopt-services adv-wips ap

<event-name>

Enables and configures logging of the following authentication, authorization, and accounting related events:

radius-discon-msg RADIUS disconnection radius-session-expired RADIUS session expired radius-session-not-started RADIUS session not started radius-vlan-update RADIUS VLAN update Enables and configures logging of the following adaptivity module related events:

adaptivity-change Event adaptivity change adaptivity-rehome Event adaptivity rehome Enables and configures the logging of adopted services related events Enables and configures the logging of advanced WIPS related events Enables and configures logging of the following AP related events:

adopted Event AP adopted adopted-to-controller Event AP adopted to wireless controller ap-adopted Event access port adopted ap-autoup-done Event AP autoup done ap-autoup-fail Event AP autoup fail ap-autoup-needed Event AP autoup needed ap-autoup-no-need Event AP autoup not needed ap-autoup-reboot Event AP autoup reboot ap-autoup-timeout Event AP autoup timeout ap-autoup-ver Event AP autoup version ap-reset-detected Event access port reset detected ap-reset-request Event access port user requested reset ap-timeout Event access port timed out ap-unadopted Event access port unadopted image-parse-failure Event image parse failure message legacy-auto-update Event legacy auto update no-image-file Event no image file offline Event AP detected as offline online Event offline AP detected as online Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 213

<event-type>

bt captive-portal cdp certmgr GLOBAL CONFIGURATION COMMANDS

<event-name>

reset Event AP reset sw-conn-lost Event software connection with AP lost unadopted Event AP unadopted Enables and configures logging of the following bluetooth related events:

bt-started Event bluetooth (bt) started bt-state-change Event bt state change Enables and configures logging of the following captive portal (hotspot) related events:

allow-access Event client allowed access auth-failed Event client authentication failed auth-success Event client authentication success client-disconnect Event client disconnected client-removed Event client removed data-limit-exceed Event client data limit exceed flex-log-access Event flexible log access granted to client inactivity-timeout Event client time-out due to inactivity page-cre-failed Event captive portal page creation failure purge-client Event client purged session-timeout Event clients session timeout vlan-switch Event client switched VLAN Enables and configures logging of the following CISCO Discovery Protocol (cdp) related event:

duplex-mismatch Event duplex mismatch detected between CDP neighbors Enables and configures logging of the following certificate manager related events

(not applicable to AP6511 and AP6521 model access points):

ca-cert-actions-failure Event CA certificate actions failure ca-cert-actions-success Event CA certificate actions success ca-key-actions-failure Event CA key actions failure ca-key-actions-success Event CA key actions success cert-expiry Event certificate expiry crl-actions-failure Event Certificate Revocation List (CRL) actions failure crl-actions-success Event CRL actions success csr-export-failure Event CSR export failure csr-export-success Event CSR export success delete-trustpoint-action Event delete trustpoint action export-trustpoint Event trustpoint exported import-trustpoint Event trustpoint imported rsa-key-actions-failure Event RSA key actions failure rsa-key-actions-success Event RSA key actions success svr-cert-actions-success Event server certificate actions success svr-cert-actions-failure Event server certificate actions failure Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 214

<event-type>

certmgr-lite cfgd cluster crm device database dhcpsvr GLOBAL CONFIGURATION COMMANDS

<event-name>

Enables and configures logging of certificate manager (lite version) related event messages (applicable only to AP6521 and AP6511 model access points) Enables and configures logging of the following configuration daemon module related events:

acl-attached-altered Event Access List (ACL) attached altered acl-rule-altered Event ACL rule altered Enables and configures logging of the following cluster module related events:

cmaster-cfg-update-fail Event cluster master config update failed max-exceeded Event maximum cluster count exceeded state-change Event cluster state change (active/inactive) state-change-active Event cluster state change to active state-change-inactive Event cluster state change to inactive state-retain-active Event cluster state retained as active Enables and configures logging of the following Critical Resource Monitoring (CRM) related events:

critical-resource-down Event critical resource goes down critical-resource-up Event critical resource comes up Enables and configures the logging of device module related events Enables and configures logging of the following error conditions in the captive-

portal/NSIght database:

database-election-fail Event primary database node selection failure. Requires manual intervention to select primary database node. database-exception Event database may need to be dropped and device restarted database-low-disk-space Event database low disk space Database-new-state Event database state change database-op-failure Event database failure database-set-name-mismatch Event replica-set not enabled on host database-storage-mismatch Event database mismatch. All database files must be removed. operation-complete Event database operation completed successfully operation-failed Event database operation failure Enables and configures logging of the following DHCP server related events:

dhcp-start Event DHCP server started dhcpsvr-stop Event DHCP sever stopped relay-iface-no-ip Event no IP address on DHCP relay interface relay-no-iface Event no interface for DHCP relay relay-start Event relay agent started relay-stop Event DHCP relay agent stopped Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 215

<event-type>

diag GLOBAL CONFIGURATION COMMANDS

<event-name>

Enables and configures logging of the following diagnostics module related events:

autogen-tech-sprt Event autogen technical support buf-usage Event buffer usage cpu-load Event CPU load cpu-usage-too-high Event CPU usage high cpu-usage-too-high-recover Event recovery from high CPU usage disk-usage Event disk usage elapsed-time Event elapsed time fan-underspeed Event fan underspeed fd-count Event forward count free-flash-disk Event free flash disk free-flash-inodes Event free flash inodes free-nvram-disk Event free nvram disk free-nvram-inodes Event free nvram inodes free-ram Event free ram free-ram-disk Event free ram disk free-ram-inodes Event free ram inodes head-cache-usage Event head cache usage high-temp Event high temp ip-dest-usage Event ip destination usage led-identify Event led identify low-temp Event low temp mem-usage-too-high Event memory usage high mem-usage-too-high-recover Event recovery from high memory usage new-led-state Event new led state over-temp Event over temp over-voltage Event over voltage poe-init-fail Event PoE init fail poe-power-level Event PoE power level poe-read-fail Event PoE read fail poe-state-change Event PoE state change poe-state-change Event PoE state change pwrsply-fail Event failure of power supply raid-degraded Event Redundant Array of Independent Disks (RAID) degraded raid-error Event RAID error ram-usage Event ram usage under-voltage Event under voltage wd-reset-sys Event wd reset system wd-state-change Event wd state change Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 216

<event-type>

dot11 GLOBAL CONFIGURATION COMMANDS

<event-name>

Enables and configures logging of the following 802.11 management module related events:

client-assoc-ignored Wireless client association ignored event client-associated Wireless client associated event client-denied-assoc Event client denied association client-disassociated Wireless client disassociated country-code Event country code applied country-code-error Event country code error eap-cached-keys Event Extensible Authentication Protocol (EAP) cached keys eap-client-timeout Event EAP client timeout eap-failed Event EAP failed eap-opp-cached-keys Event EAP opp cached keys eap-preauth-client-timeout Event EAP pre authentication client timeout eap-preauth-failed Event EAP pre authentication failed eap-preauth-server-timeout Event EAP pre authentication server timeout eap-preauth-success Event EAP pre authentication success eap-server-timeout Event EAP server timeout eap-success Event EAP success ft-roam-success Event client fast BSS transition gal-rx-request Event GAL request received event gal-tx-response Event response sent to GAL request gal-validate-failed Event GAL validation failed gal-validate-req Event GAL validation request gal-validate-success Event GAL validation success kerberos-client-success Event client Kerberos authentication success kerberos-wlan-failed Event WLAN Kerberos authentication failed kerberos-wlan-success Event WLAN Kerberos authentication success kerberos-wlan-timeout Event Kerberos authentication timed out move-operation-success Event move operation success neighbor-denied-assoc Event neighbor denied association tkip-cntrmeas-end Event TKIP countermeasures ended tkip-cntrmeas-start Event TKIP countermeasures initiated tkip-mic-fail-report Event TKIP MIC failure report tkip-mic-failure Event TKIP MIC check failed voice-call-completed Event voice call completed voice-call-established Event voice call established voice-call-failed Event voice call failed wlan-time-access-disable Event WLAN disabled by time-based-access wlan-time-access-enable Event WLAN re-enabled by time-based-access Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 217

<event-type>

dot1x fwu isdn l2gre GLOBAL CONFIGURATION COMMANDS

<event-name>

wlan-time-access-disable Event WLAN disabled by time-based-access wlan-time-access-enable Event WLAN re-enabled by time-based-access wpa-wpa2-failed Event WPA-WPA2 failed wpa-wpa2-key-rotn Event WPA-WPA2 key rotn wpa-wpa2-success Event WPA-WPA2 success Enables and configures logging of the following 802.1X authentication related events:

dot1x-failed Event EAP authentication failure dot1x-success Event dot1x-success Enables and configures logging of the following firmware update (fwu) related events:

fwuaborted Event fwu aborted fwubadconfig Event fwu aborted due to bad config fwucorruptedfile Event fwu aborted due to corrupted file fwucouldntgetfile Event fwu aborted because the system could not get file fwudone Event fwu done fwufileundef Event fwu aborted due to file undefined fwunoneed Event fwu no need fwuprodmismatch Event fwu aborted due to product mismatch fwuserverundef Event fwu aborted due to server undefined fwuserverunreachable Event fwu aborted due to server unreachable fwusignmismatch Event fwu aborted due to signature mismatch fwusyserr Event fwu aborted due to system error fwuunsupportedhw Event fwu aborted due to unsupported hardware fwuunsupportedmodelnum Event fwu aborted due to unsupported FIPS model number fwuvermismatch Event fwu aborted due to version mismatch Enables and configures logging of the following file Integrated Service Digital Network (ISDN) module related events:

isdn-alert Event ISDN alert isdn-crit Event ISDN critical isdn-debug Event ISDN debug isdn-emerg Event ISDN emergency isdn-err Event ISDN error isdn-info Event ISDN info isdn-notice Event ISDN notice isdn-warning Event ISDN warning Enables and configures logging of the following Layer 2 GRE (L2GRE) tunnel related events:

l2gre-tunnel-down Event L2GRE tunnel down l2gre-tunnel-failover Event L2GRE tunnel failover l2gre-tunnel-up Event L2GRE tunnel up Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 218

<event-type>

l2tpv3 licmgr lldp mgmt mesh nsm GLOBAL CONFIGURATION COMMANDS

<event-name>

Enables and configures logging of the following L2TPv3 related events:

l2tpv3-tunnel-down Event L2TPv3 tunnel down l2tpv3-tunnel-up Event L2TPv3 tunnel up Enables and configures logging of the following license manager module related events:

lic-installed-count Event total number of license installed count lic-installed-default Event default license installation lic-installed Event license installed lic-invalid Event license installation failed lic-removed Event license removed Enables and configures logging of the following Link Layer Discovery Protocol (LLDP) related events:

lldp-loop-detected Event layer 2 switching loop lldp-loop-recovery Event recovery from layer 2 switching loop Enables and configures logging of the following management services module related events:

log-http-init Event Web server started log-http-local-start Event Web server started in local mode log-http-start Event Web server started in external mode log-https-start Event secure Web server started log-https-wait Event waiting for Web server to start log-key-deleted Event RSA key associated with SSH is deleted log-key-restored Event RSA key associated with SSH is added log-trustpoint-deleted Event trustpoint associated with HTTPS is deleted Enables and configures logging of the following mesh module related events:

mesh-link-down Event mesh link down mesh-link-up Event mesh link up meshpoint-down Event meshpoint down meshpoint-loop-prevent-off Event meshpoint loop prevent off meshpoint-loop-prevent-on Event meshpoint loop prevent on meshpoint-path-change Event meshpoint-path-change meshpoint-root-change Event meshpoint-root-change meshpoint-up Event meshpoint up Enables and configures logging of the following Network Service Module (NSM) related events:

dhcpc-err Event DHCP certification error dhcpdefrt Event DHCP defrt dhcpip Event DHCP IP dhcpipchg Event DHCP IP change dhcpipnoadd Event DHCP IP overlaps static IP address Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 219

<event-type>

pm radconf radio GLOBAL CONFIGURATION COMMANDS

<event-name>

dhcplsexp Event DHCP lease expiry dhcpnak Event DHCP server returned DHCP NAK response dhcpnodefrt Event interface no default route if-failback Event interface failback message if-failover Event interface failover message ifdown Event interface down message ifipcfg Event interface IP config message ifup Event interface up message nsm-ntp Event translate host name message ntp-start Event NTP server start message ntp-stop Event NTP server stop message Enables and configures logging of the following process monitor module related events:

procid Event proc ID generated procmaxrstrt Event proc max restart procnoresp Event proc no response procrstrt Event proc restart procstart Event proc start procstop Event proc stop procsysrstrt Event proc system restart startupcomplete Event startup complete Enables and configures logging of the following RADIUS configuration daemon related events:

could-not-stop-radius Event could not stop RADIUS server radiusdstart Event RADIUS server started radiusdstop Event RADIUS server stopped Enables and configures logging of the following radio module related events:

acs-scan-complete Event ACS scan completed acs-scan-started Event ACS scan started cb-associated Event client-bridge access point associates with an infrastructure access point cb-roam Event client-bridge access point roams from one infrastructure access point to another infrastructure access point cb-wired-client-added Event wired client is added to the client-bridge cb-wired-client-removed Event wired client is removed from the client-bridge channel-country-mismatch Event channel and country of operation mismatch radar-det-info Event radar detected radar info radar-detected Event radar detected radar-scan-completed Event radar scan completed radar-scan-started Event radar scan started radio-antenna-error Event invalid antenna type on this radio Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 220

<event-type>

rasst smrt smtpnot system GLOBAL CONFIGURATION COMMANDS

<event-name>

radio-antenna-setting Event antenna type setting on this radio radio-state-change Event radio state change resume-home-channel Event resume home channel Enables and configures the logging of roaming assist module related events Enables and configures logging of the following SMART RF module related events:

calibration-done Event calibration done calibration-started Event calibration started channel-change Event channel change config-cleared Configuration cleared event cov-hole-recovery Event coverage hole recovery cov-hole-recovery-done Event coverage hole recovery done interference-recovery Event interference recovery neighbor-recovery Event neighbor recovery power-adjustment Event power adjustment root-recovery Event meshpoint root recovery Enables and configures logging of the following SMTP module related events:

cfg Event cfg cfginc Event cfg inc net Event net proto Event proto smtpauth Event SMTP authentication smtperr Event SMTP error smtpinfo Event SMTP information Enables and configures logging of the following system module related events:

clock-reset Event clock reset cold-start Event cold start config-commit Event configuration commit config-revision Event config-revision done devup-rfd-fail Event device-upgrade failed on rf-domain manager managed devices guest-user-exp Event guest user purging http-err Event Web server failed to start login Event user successfully logged in login-fail Event login fail. Occurs when user authentication fails. login-fail-access Event login fail access. Occurs in case of access violation. login-fail-bad-role Event login fail bad role. Occurs when user uses an invalid role to logon. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 221

<event-type>

system test vrrp GLOBAL CONFIGURATION COMMANDS

<event-name>

login-lockout Event user account locked out message. Occurs when a user account is locked due to exceeding of maximum number failed login attempts threshold. Configure this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry. login-unlocked Event user account un-locked. Occurs when a locked user account is re-activated. Enable this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry. logout Event user logout maat-light Event action on Research in Motion (RIM) radio(s) from the Maat light module panic Event panic periodic-heart-beat Event periodic heart beat procstop Event proc stop server-unreachable Event server-unreachable system-autoup-disable Event system autoup disable system-autoup-enable Event system autoup enable t5-config-error Event t5-config-error ui-user-auth-fail Event user authentication fail ui-user-auth-success Event user authentication success warm-start Event warm start warm-start-recover Event recovery from warm start Enables and configures logging of the following test module related events:

testalert Event test alert testargs Event test arguments testcrit Event test critical testdebug Event test debug testemerg Event test emergency testerr Event test error testinfo Event test information testnotice Event test notice testwarn Event test warning Enables and configures logging of the following Virtual Router Redundancy Protocol

(VRRP) related events:

vrrp-monitor-change Event VRRP monitor link state change vrrp-state-change Event VRRP state transition vrrp-vip-subnet-mismatch Event VRRP IP not overlapping with an interface addresses Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 222 GLOBAL CONFIGURATION COMMANDS

<event-type>

webf wips email forward-to-switch snmp syslog default off on

<event-name>

Enables and configures logging of the following Web Filtering (webf) module related events:

malform-url-request Event malformed URL request no-parent-engine Event no session to URL classification server srvr-connect-fail Event URL classification server unreachable url-blocked Event URL blocked webf-lic-acquired Event webf license acquired webf-lic-missing Event webf license missing webf-lic-revoked Event webf license revoked Enables and configures logging of the following Wireless IPS module related events:

air-termination-active Event air termination active air-termination-ended Event air termination ended air-termination-inactive Event air termination inactive air-termination-initiated Event air termination initiated rogue-ap-active Event rogue AP active rogue-ap-inactive Event rogue AP inactive unsanctioned-ap-active Event unsanctioned AP active unsanctioned-ap-inactive Event unsanctioned AP inactive unsanctioned-ap-status-change Event unsanctioned AP changed state wips-client-blacklisted Event WIPS client blacklisted wips-client-rem-blacklist Event WIPS client rem blacklist wips-event Event WIPS event triggered Sends e-mail notifications to a pre configured e-mail ID Forwards the messages to an external server Logs an SNMP event Logs an event to syslog Performs the default action for the event Switches the event off, when the event happens, and no action is performed Switches the event on, when the event happens, and the configured action is taken Example rfs4000-229D58(config-event-system-policy-event-testpolicy)#event aaa radius-

discon-msg email on forward-to-switch default snmp default syslog default rfs4000-229D58(config-event-system-policy-event-testpolicy)#

rfs4000-229D58(config-event-system-policy-testpolicy)#show context event-system-policy test event aaa radius-discon-msg email on rfs4000-229D58(config-event-system-policy-testpolicy)#

nx9500-6C8809(config-event-system-policy-test)#event database database-exception syslog default snmp default forward-to-switch default email default nx9500-6C8809(config-event-system-policy-test)#event database operation-failed syslog default snmp default forward-to-switch default email default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 223 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-event-system-policy-test)#show context include-factory |

grep operation-failed event database operation-failed syslog default snmp default forward-to-switch default email default nx9500-6C8809(config-event-system-policy-test)#

Related Commands no Resets or disables event monitoring Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 224 GLOBAL CONFIGURATION COMMANDS 4.1.46.2.2 no event-system-policy-mode commands Negates an event monitoring configuration Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no event <EVENT-TYPE> <EVENT-NAME> [email|forward-to-switch|snmp|syslog]

[default|on|off]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes event monitoring and message forwarding activity based on the parameters passed The system stops network monitoring for the occurrence of the specified event and no notification is sent if the event occurs. Example rfs4000-229D58(config-event-system-policy-TestPolicy)#event ap adopted syslog default rfs4000-229D58(config-event-system-policy-TestPolicy)#no event ap adopted syslog Related Commands event Configures the action taken for each event Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 225 GLOBAL CONFIGURATION COMMANDS 4.1.47 ex3500 GLOBAL CONFIGURATION COMMANDS The following table lists EX3500 time-range configuration mode commands. It also provides links to other EX3500 related configuration modes:

Command ex3500 ex3500-time-

range-config-

mode commands ex3500-

management-

policy ex3500-qos-class-

map-policy ex3500-qos-

policy-map ex3524 ex3548 Table 4.26 EX3500-Time-Range-List Config Command Description Reference Creates an EX3500 time range list and enters its configuration mode page 4-227 page 4-228 Summarizes EX3500 time range list configuration mode commands Creates an EX3500 management policy and enters its configuration mode page 4-233 Creates an EX3500 QoS class map policy and enters its configuration mode Creates an EX3500 QoS policy map and enters its configuration mode Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-254 page 4-262 page 4-277 page 4-279 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 226 GLOBAL CONFIGURATION COMMANDS 4.1.47.1 ex3500 ex3500 Creates an EX3500 time range list and enters its configuration mode An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed). The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. The EX3500 series switch can adopt to a WiNG NOC controller and be managed by it. The EX3500 time range values configured here are used in EX3500 MAC ACL firewall rules that filter an EX3500s incoming and outgoing traffic. For more information on creating EX3500 MAC ACL rules, see ex3500 and access-group. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3500 time-range <TIME-RANGE-NAME>

Parameters ex3500 time-range <TIME-RANGE-NAME>

ex3500 time-range

<TIME-RANGE-

NAME>

Configures EX3500 time range list and enters its configuration mode

<TIME-RANGE-NAME> Enter a name for this EX3500 time range. If the time range does not exist, it is created. Example nx9500-6C8809(config)#ex3500 time-range EX3500_TimeRange_02 nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#?

EX3500 Time Range Configuration commands:

absolute Absolute time and date no Negate a command or set its defaults periodic Periodic time and date clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#

Related Commands no Removes this EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 227 GLOBAL CONFIGURATION COMMANDS 4.1.47.2 ex3500-time-range-config-mode commands ex3500 The following table summarizes EX3500 time-range configuration mode commands:

Table 4.27 EX3500-Time-Range-Mode Commands Command absolute periodic no Description Configures an absolute time range rule for this EX3500 time range list Configures a periodic time range rule for this EX3500 time range list Removes this EX3500 time range list settings Reference page 4-229 page 4-230 page 4-232 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 228 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.1 absolute ex3500-time-range-config-mode commands Configures an absolute time range rule for this EX3500 time range list Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>

<MONTH> <2013-2037>}

Parameters absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>

<MONTH> <2013-2037>}

absolute start <0-23> <0-59>

<1-31> <MONTH>

<2013-2037>

Configures an absolute time range rule settings Configures the start day and time settings

<0-23> Specify the start time from 0 - 23 hours.

<0-59> Specify the start time from 0 - 59 minutes. For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day.

<1-31> Specify the day of month from 1 - 31 when the time range starts.

<MONTH> Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.

<2013-2037> Specify the year from 2013 - 2037. end <0-23> <0-59>

<1-31> <MONTH>

<2013-2037>

Optional. Configures the end day and time settings

<0-23> Specify the end time from 0 - 23 hours.

<0-59> Specify the end time from 0 - 59 minutes.

<1-31> Specify the day of month from 1 - 31 when the time range ends.

<MONTH> Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.

<2013-2037> Specify the year from 2013 - 2037. Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#

Related Commands no Removes this absolute time range rule from the EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 229 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.2 periodic ex3500-time-range-config-mode commands Configures a periodic time range rule for this EX3500 time range list Periodic time ranges are configured to recur based on periodicity such as daily, weekly, weekends, weekdays, and on specific week days, such as on every successive Sunday. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|

weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|

sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence

<1-7>

Parameters periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|

weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|

sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence

<1-7>

periodic

[daily|friday|monday|

saturday|sunday|

thursday|tuesday|

wednesday|

weekdays|

weekend]

<0-23> <0-59>

to

[<023> <0-59>|daily|

friday|monday|

saturday|sunday|

thursday|tuesday|

wednesday|

weekdays|weekend]

Configures this periodic time ranges start day. The options are:

daily Friday Monday Saturday Sunday Thursday Tuesday Wednesday weekdays weekend After specifying the start day, specify the start time in hours (24 hours format) and minutes

<0-23> Specify the start time from 0 - 23 hours.

<0-59> Specify the start time from 0 - 59 minutes. For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day. Configures this periodic time ranges end day. This is the day when the time range ends. The options available changes depending on the start day configured. The options are:

<0-23> <0-59> Select this option to end the time range on the same day as it starts. Specify the end hour from 0 - 23 hours and the minutes from 0 - 59 minutes. daily Select this option if the time range starts and ends every day at a specified time friday Select this option if the time range ends on Fridays Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 230 GLOBAL CONFIGURATION COMMANDS monday Select this option if the time range ends on Mondays saturday Select this option if the time range ends on Saturdays sunday Select this option if the time range ends on Sundays thursday Select this option if the time range ends on Thursdays tuesday Select this option if the time range ends on Tuesdays wednesday Select this option if the time range ends on Wednesdays weekdays Select this option if the time range ends on Weekdays weekend Select this option if the time range ends on Weekends If the time range does not end on the same day, select the end day, and then specify the end time, or else just specify the end time. After specifying the end day, specify the end time in hours (in 24 hours format) and minutes

<0-23> Specify the end time from 0 - 23 hours.

<0-59> Specify the end minute from 0 - 59 minutes. In case of time ranges starting and ending on the same day, ensure that the end time

(hours and minutes) is not lower than the specified start time. Configures a precedence value for this periodic time range rule. Rules with lower precedence have higher priority and are applied first.

<1-7> Specify a precedence value from 1 - 7.

<0-23> <0-59>

rule-precedence

<1-7>

Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#periodic daily 1 10 to daily 23 10 rule-precedence 1 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#

Related Commands no Removes this periodic time range rule from the EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 231 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.3 no ex3500-time-range-config-mode commands Removes this EX3500 time range list settings Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax no [absolute|periodic]

no absolute no periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|

weekdays|weekend] <0-23> <0-59> to [<0-23> <0-59>|daily|friday|monday|saturday|

sunday|thursday|tuesday|wednesday|weekdays|weekend]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this EX3500 time range list settings based on the parameters passed Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2015 end 1 0 30 june 2016 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#

nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#no periodic daily 1 10 to daily 23 10 rule-precedence 1 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2015 end 1 0 30 june 2016 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 232 GLOBAL CONFIGURATION COMMANDS 4.1.48 ex3500-management-policy Global Configuration Commands The following table lists EX3500 management policy configuration mode commands:

Table 4.28 EX3500-Management-Policy Config Command Command ex3500-

management-

policy ex3500-

management-

policy config commands ex3500 ex3500-qos-class-

map-policy ex3500-qos-

policy-map ex3524 ex3548 Description Creates an EX3500 management policy and enters its configuration mode Reference page 4-234 Summarizes EX3500 management policy configuration mode commands page 4-236 Creates an EX3500 time range list and enters its configuration mode page 4-226 page 4-254 Creates an EX3500 QoS class map policy and enters its configuration mode Creates an EX3500 QoS policy map and enters its configuration mode Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-277 page 4-279 page 4-262 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 233 GLOBAL CONFIGURATION COMMANDS 4.1.48.1 ex3500-management-policy ex3500-management-policy Creates an EX3500 management policy and enters its configuration mode. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. The EX3500 management policy is either applied:

Individually on an adopted EX3500 series switch (in the device configuration mode), or To a EX3524 and/or EX3548 profile, which is then applied to an adopted EX3500 series switch. EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/

1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-

based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources. Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval. WiNG can partially manage an EX3500 without using DHCP option 193, provided the EX3500 is directly configured to specify the IPv4 addresses of potential WiNG adopters. To identify the potential WiNG adopter, in the EX3500s device configuration mode specify the adopters IPv4 address using the controller

> host > <IP-ADDRESS> command. WiNG service platforms leave the proprietary operating system running the EX3500 switches unmodified, and partially manage them utilizing standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with the EX3500. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3500-management-policy <POLICY-NAME>

Parameters ex3500-management-policy <POLICY-NAME>

<POLICY-NAME>

Specify the EX3500 management policy name. If the policy does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 234 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#ex3500-management-policy test nx9500-6C8809(config-ex3500-management-policy-test)#?

EX3500_Management Mode commands:

enable Modifies enable password parameters http Hyper Text Terminal Protocol (HTTP) memory Memory utilization no Negate a command or set its defaults process-cpu Process-cpu utilization snmp-server Enable SNMP server configuration ssh Secure Shell server connections username Login TACACS server port clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Removes this EX3500 management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 235 GLOBAL CONFIGURATION COMMANDS 4.1.48.2 ex3500-management-policy config commands ex3500-management-policy The following table summarizes EX3500 management policy configuration mode commands:

Table 4.29 EX3500-Management-Policy Config Mode Commands Command enable http memory process-cpu snmp-server ssh username no Description Configures an executive password for this EX3500 management policy Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switch Configures the EX3500s memory utilization rising (upper) and falling

(lower) threshold values Configures the EX3500s CPU (processor) utilization rising (upper) and falling (lower) threshold values Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. Configures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switch Configures a EX3500 switch user settings Removes or reverts this EX3500 management policy settings Reference page 4-237 page 4-239 page 4-240 page 4-241 page 4-242 page 4-249 page 4-251 page 4-252 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 236 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.1 enable ex3500-management-policy config commands Configures an executive password for this EX3500 management policy Each EX3500 management policy can have a unique executive password with its own privilege level assigned. Utilize these passwords as specific EX3500 management sessions require priority over others. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax enable password [0|7|level]

enable password [0|7] <PASSWORD>

enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]

Parameters enable password [0|7] <PASSWORD>

enable password

[0|7] <PASSWORD>

Creates a new executive password for this EX3500 management policy. The password could be in clear text or encrypted 0 Configures a clear text password using ASCII characters (should be 1 - 32 characters long) 7 Configures an encrypted password using HEX characters (should be 32 characters long)

<PASSWORD> Specify the password. enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]

enable password level <0-15>

Creates a new executive password for this EX3500 management policy and sets its privilege level

<0-15> Specify the privilege level for this executive password from 0 - 15. Lower values have higher priority, to slot and prioritize executive passwords and EX3500 management sessions.

[0|7] <PASSWORD> After setting the privilege level, configure the password, which could be in clear text or encrypted 0 Configures a clear text password using ASCII characters (should be 1 - 32 characters long) 7 Configures an encrypted password using HEX characters (should be 32 characters long)

<PASSWORD> Specify the password. Example nx9500-6C8809(config-ex3500-management-policy-test)#enable password level 3 7 12345678901020304050607080929291 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 nx9500-6C8809(config-ex3500-management-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 237 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a executive password from this EX3500 management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 238 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.2 http ex3500-management-policy config commands Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switch Management access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax http [port <1-65535>|secure-port <1-65535>|secure-server|server]

Parameters http [port <1-65535>|secure-port <1-65535>|secure-server|server]

http port <1-65535>

secure-port

<1-65535>

secure-server server Configures following HTTP settings: port, secure-port, secure-server, and server Configures the HTTP port number. This is the port used to connect to the HTTP server.

<1-65535> Specify a value from 1 - 65535. The default port is 80. Enables secure HTTP connection over a designated secure port. Ensure that the HTTP secure server is enabled before specifying the secure-server port.

<1-65535> Specify the secure HTTP server port from 1 - 65535. The default port is 443. Enables HTTP secure server. This option is disabled by default. Enables HTTP server. This option is enabled by default. Consequently, HTTP management access is allowed by default. Example nx9500-6C8809(config-ex3500-management-policy-test)#http secure-server nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Reverts to default HTTP server settings (HTTP server enabled, HTTP port 80) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 239 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.3 memory ex3500-management-policy config commands Configures the EX3500s memory utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the memory utilization exceeds the specified rising limit or falls below the specified falling limit. By customizing an EX3500s memory and CPU utilizations upper and lower thresholds, you can avoid over utilization of the EX3500s processor capacity when sharing network resources with an NX series service platform or a WiNG VM. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax memory [falling-threshold|rising-threshold] <1-100>

Parameters memory [falling-threshold|rising-threshold] <1-100>

memory falling-threshold

<1-100>

rising-threshold

<1-100>

Configures the EX3500s memory utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded. Configures the falling threshold for the EX3500 memory utilization

<1-100> Specify the falling threshold as a percentage from 1 - 100. The default is 70%. Configures the rising threshold for the EX3500s memory utilization

<1-100> Specify the rising threshold as a percentage from 1 - 100. The default is 90%. Example nx9500-6C8809(config-ex3500-management-policy-test)#memory falling-threshold 50 nx9500-6C8809(config-ex3500-management-policy-test)#memory rising-threshold 95 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95 nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Reverts the memory utilization's falling-threshold and/or rising threshold to 70% and 90% respectively Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 240 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.4 process-cpu ex3500-management-policy config commands Configures the EX3500s CPU (processor) utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the CPU utilization exceeds the specified rising limit or falls below the specified falling limit. By customizing an EX3500s memory and CPU utilizations upper and lower thresholds, you can avoid over utilization of the EX3500s processor capacity when sharing network resources with an NX series service platform or a WiNG VM. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax process-cpu [falling-threshold|rising-threshold] <1-100>

Parameters process-cpu [falling-threshold|rising-threshold] <1-100>

process-cpu falling-threshold

<1-100>

rising-threshold

<1-100>

Configures the EX3500s CPU utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded. Configures the falling threshold for the EX3500s CPU utilization

<1-100> Specify the falling threshold as a percentage from 1 - 100. The default is 70%. Configures the rising threshold for the EX3500s CPU utilization

<1-100> Specify the rising threshold as a percentage from 1 - 100. The default is 90%. Example nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu falling-threshold 60 nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Reverts the CPU utilization's falling-threshold and/or rising threshold to 70% and 90%

respectively Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 241 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.5 snmp-server ex3500-management-policy config commands Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. SNMP is an application layer protocol that facilitates the exchange of management information between the management stations and a managed EX3500 switch. SNMP-enabled devices listen on port 162 (by default) for SNMP packets from the management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system's performance and other parameters. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax snmp-server {community|contact|enable|engine-id|group|host|location|notify-

filter|user|view}

snmp-server {community <STRING> {ro|rw}}

snmp-server {contact <NAME>}

snmp-server {enable traps {authentication|link-up-down}}

snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}

snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|

read <WORD>|write <WORD>}}

snmp-server {host <IP> [<STRING>|inform]}

snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port

<1-65535>}}

snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING>

version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}

snmp-server {location <WORD>}

snmp-server {notify-filter <WORD> remote <IP>}

snmp-server {user <USER-NAME> <GROUP-NAME> [remote-host|v1|v2c|v3]}

snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3 [auth|encrypted auth] [md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}

snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}

snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 242 GLOBAL CONFIGURATION COMMANDS Parameters snmp-server {community <STRING> {ro|rw}}

snmp-server community

<STRING> {ro|rw}

Configures SNMP-server related settings community Optional. Configures an SNMP community access string used to authorize management access by clients using SNMP v1, v2c, or v3

<STRING> Specify the SNMP community access string (should not exceed 32 char-

acters). After specifying the string, optionally specify the access type associated with it. ro Optional. Provides read-only access with this SNMP community string. Allows authorized clients to only retrieve Management Information Base (MIB) objects. This is the default setting. rw Optional. Provides read-write access with this SNMP community string. Allows authorized clients to retrieve as well as modify MIB objects. You can configure a maximum of five (5) community strings per EX3500 management policy. snmp-server {contact <NAME>}

snmp-server contact

<NAME>

Configures SNMP-server related settings contact Optional. Configures the systems contact information

<NAME> Specify the contact persons name (should not exceed 255 characters). snmp-server {enable traps {authentication|link-up-down}}

snmp-server enable traps

{authentication|

link-up-down}

Configures SNMP-server related settings enable traps Optional. Enables the EX3500 switch to send following SNMP traps or notifications:

authentication Optional. Enables SNMP authentication trap. This option is disabled by default. link-up-down Optional. Enables SNMP link up and link down traps. This option is disabled by default. If the command is executed without either of the above mentioned trap options, the system enables both authentication and link-up-down traps. If enabling SNMP traps, use the snmp-server > host command to specify the host(s) receiving the SNMP notifications. snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}

snmp-server engine-id

[local <WORD>|

remote <IP>

<WORD>]

Configures SNMP-server related settings engine-id Optional. Configures an identification string for the SNMPv3 engine. The SNMP engine is an independent SNMP agent residing either on the logged switch or on a remote device. It prevents message replay, delay, and redirection. In SNMPv3, the engine ID in combination with user passwords generates the security keys that is used for SNMPv3 packet authentication and encryption. local Configures the SNMP engine on the logged switch

<WORD> Specify the hexadecimal engine ID string identifying the SNMP engine

(should be 9 - 64 characters in length). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 243 GLOBAL CONFIGURATION COMMANDS remote <IP> <WORD> Configures a remote device as the SNMP engine

<IP> Specify the remote devices IP address.

<WORD> Specify the hexadecimal engine ID string identifying the SNMP engine (should be 9 - 64 characters in length). Configure the remote engine ID when using SNMPv3 informs. The remote ID configured here is used to generate the security digest for authentication and encryption of packets exchanged between the switch and the and the remote host user. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agents SNMP engine ID before you can send proxy requests or informs to it. snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|

read <WORD>|write <WORD>}}

snmp-server group

<GROUP-NAME>

Configures SNMP-server related settings group Optional. Configures an SNMP user group, mapping SNMP users to SNMP

[v1|v2c|v3

[auth|noauth|priv]]

views

<GROUP-NAME> Specify the SNMP group name (should not exceed 32 charac-

ters). Configures the SNMP version used for authentication by this user group v1 Configures the SNMP version as v1. v2c Configures SNMP version as v2c v3 Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy Optional. Configures the notification view string

<WORD> Specify the string (should not exceed 32 characters). Optional. Configures the read view string

<WORD> Specify the string (should not exceed 32 characters). Optional. Configures the write view string

<WORD> Specify the string (should not exceed 32 characters). notify <WORD>

read <WORD>

write <WORD>

snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port

<1-65535>}}

snmp-server host

<IP>

Configures SNMP-server related settings host Optional. Configures the host(s) receiving the SNMP notifications. At least one SNMP server host should be configured in order to configure the switch to send notifications

<IP> Specify the SNMP hosts IP address. You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy. Ensure that SNMP trap notification is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 244 GLOBAL CONFIGURATION COMMANDS

<STRING>

Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community

<STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.

<STRING> Specify the community string. The string configured here is sent in the SNMP traps to the SNMPv1 or SNMPv2c hosts. version

[v1|v2c|

v3 [auth|noauth|

priv]]

Configures the SNMP version used v1 Configures the SNMP version as 1. This is the default setting. v2c Configures SNMP version as 2c v3 Configures the SNMP version as 3. If using SNMPv3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port

<1-65535> Specify the UDP port. The default is 162. snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING>

version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}

snmp-server host

<IP>

Configures SNMP-server related settings host Optional. Configures the host(s) receiving the SNMP notifications

<IP> Specify the SNMP hosts IP address. inform

[retry <0-255>|

timeout

<0-2147483647>]

<STRING>

You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy. Ensure that SNMP trap notification is enabled. Enables sending of SNMP notifications as inform messages, and configures inform message settings. retry <0-255> Configures the maximum number attempts made to re-send an inform message in case the specified SNMP host does not acknowledge receipt.

<0-255> Specify a value from 0 - 255. The default is 3. timeout <0-2147483647> Configures the interval, in seconds, to wait for an acknowledgment from the SNMP host before re-sending an inform message

<0-2147483647> Specify a value from 0 - 2147483647 seconds. The default is 1500 seconds. Inform messages are more reliable than trap messages since they include a request for acknowledgement of receipt. Using inform messages to communicate critical information would be good practice. However, since inform messages are retained in the memory until a response is received, they consume more memory and may also result in traffic congestion. Take into considerations these facts when configuring the notification format. Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community

<STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.

<STRING> Specify the community string. The string configured here is sent in the SNMP inform messages to the SNMPv2c or SNMPv3 hosts. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 245 GLOBAL CONFIGURATION COMMANDS version [v2c|

v3 [auth|noauth|

priv]]

Configures the SNMP version used v2c Configures the SNMP version as v2c v3 Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy SNMP inform messages are not supported on SNMP v1. udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port

<1-65535> Specify the UDP port. The default is 162. snmp-server {location <WORD>}

snmp-server location

<WORD>

Configures SNMP-server related settings location Optional. Configures the EX3500s location string

<WORD> Specify the location (should not exceed 255 characters). snmp-server {notify-filter <WORD> remote <IP>}

snmp-server notify-filter <WORD>

Configures SNMP-server related settings notify-filter Optional. Modifies the SNMP servers notify filter remote <IP>

<WORD> Specify the SNMP notify-filter name. Optional. Configures the remote hosts IP address

<IP> Specify the IP address in the A.B.C.D format. snmp-server {user <USER-NAME> <GROUP-NAME> remote <IP> v3 {auth|encrypted auth}

[md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}

snmp-server user

<USER-NAME>

<GROUP-NAME>

remote <IP> v3

{auth|encrypted auth}

[md5|sha] <WORD>

{priv [3des|aes128|

aes192|aes256|

des56] <WORD>}

Configures SNMP-server related settings user Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMP version 3, this command also configures the remote hosts IP address and the authentication type used.

<USER-NAME> Specify the users name (should not exceed 32 characters).

<GROUP-NAME> Specify the SNMP group name to which this user is assigned. Configures the remote host on which the SNMPv3 engine is running

<IP> Specify the remote hosts IP address. This option is available only for SNMPv3 engine. After configuring the remote host, optionally configure the authentication type and the corresponding authentication password used. Optional. Configures authentication and encryption settings auth Specifies the authentication type used and configures the authentication password encrypted Enables encryption. When enabled all communications between the user and the SNMP engine are encrypted. After enabling encryption, specify the authentication type and configure the authentication password. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 246 GLOBAL CONFIGURATION COMMANDS The following parameters are common to the auth and encrypted keywords:

md5 Uses MD5 to authenticate the user sha Uses SHA to authenticate the user The following parameter is common to the md5 and sha keywords:

<WORD> Specify the authentication password. If the encrypted option is not being used, enter an 8 - 40 characters ASCII password. Whereas, in case of an encrypted password enter a HEX characters password of 32 characters. priv Optional. Uses SNMPv3 with privacy. Select one of the privacy options: des, aes128, aes192, aes256, des56

<WORD> Configures the privacy password. If the encrypted option is not being used, enter an 8 - 40 characters long ASCII password. Whereas, the encrypted pass-

word should be 32 HEX characters. snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}

snmp-server user

<USER-NAME>

<GROUP-NAME>

[v1|v2c|v3]

Configures SNMP-server related settings user Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMPv3, this command also configures the authentication type used and the enables encryption.

<USER-NAME> Specify the users name (should not exceed 32 characters).

<GROUP-NAME> Specify the SNMP group name to which this user is assigned.

[v1|v2c|v3] After specifying the group name, specify the SNMP version used. The options are SNMP version v1, SNMP version 2c, and SNMP version 3. If using SNMP version 3, optionally specify the authentication type and the corresponding authentication password used. Please see previous table for SNMPv3 authentication and encryption configuration details. snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}

snmp-server view

<VIEW-NAME>

Configures SNMP-server related settings view Optional. Creates an SNMP view. SNMP views are used to control user access to the MIB.

<VIEW-NAME> Provide a name for this SNMP view (should not exceed 32 charac-

ters).

<OID-TREE-STRING>

[excluded|included]

Configures the object identifier (OID) of a branch within the MIB tree excluded Specifies an excluded view included Specifies an included view Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 247 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server enable traps nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 1.2.3.4 inform retry 2 test version 3 auth udp-port 180 nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server engine-id local 1234567890 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Removes SNMP server related settings or reverts them to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 248 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.6 ssh ex3500-management-policy config commands Configures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switch Management access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-

120>]

Parameters ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-

120>]

ssh authentication-retries

<1-5>

server server-key size

<512-1024>

timeout <1-120>

Enables SSH management access to an EX3500 switch. This option is disabled by default. Use this command to configure SSH access settings. Configures the maximum number of retries made to connect to the SSH server resource

<1-5> Specify a value from 1 - 5. The default setting is 3. Enables SSH server connection Configures the SSH server key size

<512-1024> Specify the SSH server key from 512 - 1,024. The default length is 768. Configures the SSH server resource inactivity timeout value in seconds. When the specified time is exceeded, the SSH server resource becomes unreachable and must be re-authenticated.

<1-120> Specify a value from 1 120 seconds. The default is 120 seconds. Example nx9500-6C8809(config-ex3500-management-policy-test)#ssh authentication-retries 4 nx9500-6C8809(config-ex3500-management-policy-test)#ssh timeout 90 nx9500-6C8809(config-ex3500-management-policy-test)#ssh server-key size 600 nx9500-6C8809(config-ex3500-management-policy-test)#ssh server nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication

--More--

nx9500-6C8809(config-ex3500-management-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 249 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables SSH management access to an EX3500 switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 250 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.7 username ex3500-management-policy config commands Configures a EX3500 switch user settings The EX3500 switch user details are stored in a local database on the NX9500, NX7500, or WiNG VM. You can configure multiple users, each having a unique name, access level, and password. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]

Parameters username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]

username

<USER-NAME>

access-level <0-15>

nopassword password [0|7]

<PASSWORD>

Configures the TACACS server port username

<USER-NAME> Specify the user name (should not exceed 32 characters) Configures the access level for this user. This value determines the access priority of each user requesting access and interoperability with EX3500 switch.

<0-15> Specify the access level from 0 - 15. The default is 0. Allows user to login without a password Configures the password for this user 0 Configures a plain text password 7 Configures an encrypted password (should be 32 characters in length)

<PASSWORD> Specify the password. Example nx9500-6C8809(config-ex3500-management-policy-test)#username user1 access-level 5 nx9500-6C8809(config-ex3500-management-policy-test)#username user1 password 0 user1@1234 nx9500-nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1

--More--

nx9500-6C8809(config-ex3500-management-policy-test)#

Related Commands no Removes this SNMP user settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 251 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.8 no ex3500-management-policy config commands Removes or reverts this EX3500 management policy settings Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax no [enable|http|memory|process-cpu|snmp-server|ssh|username]

no enable password {level <0-15>}

no http [port|secure-port|secure-sever|server]

no memory [falling-threshold|rising-threshold]

no process-cpu [falling-threshold|rising-threshold]

no snmp-server {community|contact|enable|engine-id|group|host|location|notify-

filter|user|view}

no snmp-server {community <STRING>}

no snmp-server {contact}

no snmp-server {enable traps {authentication|link-up-down}}

no snmp-server {engine-id [local|remote <IP>]}

no snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]]}

no snmp-server {host <IP>}

no snmp-server {location}

no snmp-server {notify-filter <WORD> remote <IP>}

no snmp-server {user <USER-NAME> [v1|v2c|v3]}

no snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3}

no snmp-server {view <VIEW-NAME> {<OID-TREE-STRING>}}

no ssh [authentication-retries|server|server-key size <512-1024>|timeout]

no username Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this EX3500 management policy settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 252 Example GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#

nx9500-6C8809(config-ex3500-management-policy-test)#no http secure-server nx9500-6C8809(config-ex3500-management-policy-test)#no memory falling-threshold nx9500-6C8809(config-ex3500-management-policy-test)#no process-cpu rising-

threshold nx9500-6C8809(config-ex3500-management-policy-test)#no snmp-server notify-filter 3 remote 1.2.3.4 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory rising-threshold 95 process-cpu falling-threshold 60 nx9500-6C8809(config-ex3500-management-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 253 GLOBAL CONFIGURATION COMMANDS 4.1.49 ex3500-qos-class-map-policy Global Configuration Commands The following table lists EX3500 QoS class map policy configuration mode commands:

Table 4.30 EX3500-QoS-Class-Map Config Command Command ex3500-qos-class-

map-policy ex3500-qos-class-

map-policy config commands ex3500-qos-

policy-map ex3500 ex3500-

management-

policy ex3524 ex3548 Description Creates an EX3500 QoS class map policy and enters its configuration mode Summarizes EX3500 QoS class map policy configuration mode commands Reference page 4-255 page 4-256 Creates an EX3500 QoS policy map and enters its configuration mode Creates an EX3500 time range list and enters its configuration mode page 4-226 page 4-233 Creates an EX3500 management policy and enters its configuration mode page 4-262 Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-277 page 4-279 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 254 GLOBAL CONFIGURATION COMMANDS 4.1.49.1 ex3500-qos-class-map-policy ex3500-qos-class-map-policy Creates a EX3500 Quality of Service (QoS) class map policy and enters its configuration mode A QoS class map policy contains a set of Differentiated Services (DiffServ) classification criteria that are used to classify incoming traffic into different category and provide differentiated service based on this classification. Each policy defines a set match criteria rules that use objects, such as access lists, IP precedence or DSCP values, and VLANs. When configured and applied, the policy classifies traffic based on layer 2, layer 3, or layer 4 information contained in each incoming packet. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3500-qos-class-map-policy <POLICY-NAME>

Parameters ex3500-qos-class-map-policy <POLICY-NAME>

<POLICY-NAME>

Specify the EX3500 QoS class map policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#ex3500-qos-class-map-policy dscp nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#?

EX3500_Qos_class_map Mode commands:

description Class-map description match Defines the match criteria to classify traffic no Negate a command or set its defaults rename Redefines the name of class-map clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Related Commands no Removes an existing EX3500 QoS class map policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 255 GLOBAL CONFIGURATION COMMANDS 4.1.49.2 ex3500-qos-class-map-policy config commands ex3500-qos-class-map-policy The following table summarizes EX3500 QoS class map policy configuration mode commands:

Table 4.31 EX3500-Management-Policy Commands Command description match rename no Description Configures a description for this EX3500 QoS class map policy Configures match criteria rules used to classify traffic Renames an existing EX3500 QoS class map object Removes this EX3500 QoS class map policys description and match criteria Reference page 4-257 page 4-258 page 4-260 page 4-261 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 256 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.1 description ex3500-qos-class-map-policy config commands Configures this EX3500 QoS class map policys description Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax description <LINE>

Parameters description <LINE>

description <LINE>

Configures this EX3500 QoS class map policys description

<LINE> Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters) Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#description "Matches packets marked for DSCP service 3"

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Related Commands no Removes this EX3500 QoS class map policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 257 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.2 match ex3500-qos-class-map-policy config commands Configures match criteria rules used to classify traffic Access lists, IP precedence, DSCP values, or VLANs are commonly used to classify traffic. Access lists select traffic based on layer 2, layer 3, or layer 4 information contained in each packet. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-

NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-4094>]

Parameters match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl]

<ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-

4094>]

match access-list

[ex3500-ext-access-

list|

ex3500-std-access-

list|

mac-acl]

<ACL-NAME>

cos <0-7>

Configures the match criteria. The options are: access-list, cos, ip, ipv6, vlan Incoming packets matching the specified criteria are included in this QoS class map. Uses access lists to provide the match criteria. You can use any one the following ACL types to classify traffic:

ex3500-ext-access-list Uses an IPv4 EX3500 extended ACL ex3500-std-access-list Uses an IPv4 EX3500 standard ACL mac-acl Uses a MAC EX3500 ACL The following keyword is common to all of the above ACL types:

<ACL-NAME> Specify the ACL name (should be existing and configured). Configures the class of service (CoS) value used to apply user priority. CoS is a form of QoS applicable only to layer 2 Ethernet frames. It uses 3-bits (8 values) of the 802.1Q tag to differentiate and shape network traffic.

<0-7> Specify the CoS value from 0 - 7. Following are the 8 traffic classes based on the CoS value:

000 (0) - Routine 001 (1) - Priority 010 (2) - Immediate 011 (3) - Flash 100 (4) - Flash Override 101 (5) - Critical 110 (6) - Internetwork Control 111 (7) - Network Control Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 258 GLOBAL CONFIGURATION COMMANDS ip [dscp <0-63>|

precedence <0-7>]

Configures the IPv4 DSCP value to match and/or the IP precedence value to match.

<0-63> Specify the DSCP value from 0 - 63. Use this option to specify the type of service (ToS) field values included in the IP header. The ToS field exists between the header length and the total length fields. The DSCP constitutes the first 6 bits of the ToS field. precedence <0-7> Configures the IP precedence to match. Following are the 8 traffic classes based on the IP precedence values:

000 (0) - Routine 001 (1) - Priority 010 (2) - Immediate 011 (3) - Flash 100 (4) - Flash Override 101 (5) - Critical 110 (6) - Internetwork Control 111 (7) - Network Control ipv6 dscp <0-63>

vlan <1-4094>

Configures the IPv6 DSCP value to match

<0-63> Specify the DSCP value from 0 - 63. Configures the VLAN to match

<1-4094> Specify the VLAN ID. Usage Guidelines When configuring match entries, take into consideration the following points:

Deny rules included in an ACL (associated with a EX3500 QoS class map policy) are ignored whenever an incoming packet matches the ACL. A class map policy cannot include both IP ACL or IP precedence rule and a VLAN rule. A class map policy containing a MAC ACL or VLAN rule cannot include either an IP ACL or a IP precedence rule. A class map policy can include a maximum of 16 match entries. Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"

match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

nx9500-6C8809(config-ex3500-qos-class-map-policy-test2)#match ip precedence 1 Related Commands no Removes match criteria rules configured for this EX3500 QoS class map policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 259 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.3 rename ex3500-qos-class-map-policy config commands Renames an existing EX3500 QoS class map policy Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>

Parameters rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-

NAME>

rename <EX3500-

QOS-CLASS-MAP-

POLICY-NAME>

<NEW-EX3500-

QOS-CLASS-MAP-

NAME>

Renames an existing EX3500 QoS class map

<EX3500-QOS-CLASS-MAP-POLICY-NAME> Enter the EX3500 QoS class maps current name.

<NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME> Enter the new name. Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]

dscp test test2 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename test2 IP_Precedence nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]

dscp IP_Precedence test nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 260 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.4 no ex3500-qos-class-map-policy config commands Removes this EX3500 QoS class map policys description and match criteria Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax no [description|match]

no description no match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl]

<ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-

4094>]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes the EX3500 QoS class map policys settings based on the parameters passed Example The following example shows the EX3500 QoS class map policy test settings before the no command are executed:

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"

match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no description nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no match ip dscp The following example shows the EX3500 QoS class map policy test settings after the no command are executed:

nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy test nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 261 GLOBAL CONFIGURATION COMMANDS 4.1.50 ex3500-qos-policy-map Global Configuration Commands The following table lists EX3500 QoS policy map configuration mode commands:

Table 4.32 EX3500-QoS-Policy-Map Config Command Command ex3500-qos-

policy-map ex3500-qos-

policy-map config commands Description Creates a EX3500 policy map and enters its configuration mode Reference page 4-263 Summarizes EX3500 QoS policy map configuration mode commands page 4-264 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 262 GLOBAL CONFIGURATION COMMANDS 4.1.50.1 ex3500-qos-policy-map ex3500-qos-policy-map Creates an EX3500 policy map and enters its configuration mode An EX3500 policy map contains one or more EX3500 QoS class maps traffic classifications (existing and configured) and can be attached to multiple interfaces. Creates an EX3500 policy map, and then use the class parameter to configure policies for traffic that matches the criteria defined in the EX3500 QoS class map policy. For more information, see match. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>

Parameters ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>

<EX3500-QOS-POLICY-

MAP-NAME>

Specify the EX3500 policy maps name Example nx9500-6C8809(config)#ex3500-qos-policy-map testPolicyMap nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#?

EX3500_Qos_policy_map Mode commands:

class Defines a traffic classification for the policy description Policy-map description no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#

Related Commands no Removes an existing EX3500 QoS policy map Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 263 GLOBAL CONFIGURATION COMMANDS 4.1.50.2 ex3500-qos-policy-map config commands ex3500-qos-policy-map The following table summarizes EX3500 QoS policy map configuration mode commands:

Table 4.33 EX3500-QoS-Policy-Map Commands Command class description no Description Creates a policy map class and enters its configuration mode Configures this EX3500 QoS policy map's description Removes this EX3500 QoS policy map's settings. Use this keyword to remove or modify the description and to remove the QoS traffic classification created. Reference page 4-265 page 4-275 page 4-276 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 264 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.1 class ex3500-qos-policy-map config commands Creates a policy map class and enters its configuration mode. The policy map class is a traffic classification upon which a policy can act. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax class <EX3500-QoS-CLASS-MAP-POLICY-NAME>

Parameters class <EX3500-QoS-CLASS-MAP-POLICY-NAME>

<EX3500-QoS-

CLASS-MAP-

POLICY-NAME>

Specify the EX3500 QoS class map policys name (should be existing and configured) Example nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#class dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#?

commands:

no Negate a command or set its defaults police Defines a policer for classified traffic set Classify IP traffic clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Related Commands no ex3500-qos-policy-

map Removes this policy map class association EX3500 QoS policy map configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 265 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.2 ex3500-qos-policy-map-class-config commands class The following table summarizes the policy map class configuration mode commands Table 4.34 EX3500-Policy-Map-Class Config Command Command police set no Description Configures an enforcer for classified traffic Sets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packets Removes this traffic classifications settings Reference page 4-267 page 4-272 page 4-274 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 266 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.3 police ex3500-qos-policy-map-class-config commands Configures an enforcer for classified traffic Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-color-

blind]

police flow <0-1000000> <0-16000000> conform-action transmit violate-action

[<0-63>|drop]

police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000>

<0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action

[<0-63>|drop]

police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000>

<0-1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop]

violate-action [<0-63>|drop]

Parameters police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-

63>|drop]

police flow <0-1000000>

<0-16000000>

Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on the metered flow rate

<0-1000000> Configures the committed information rate (CIR) from 0 -1000000 kilobits per second.

<0-16000000> Configures the committed burst size (BC) from 0 - 16000000 bytes. Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is specified by the committed-burst field, and the average rate tokens are added to the bucket is specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented CIR and the maximum size of the token bucket BC. The token bucket C is initially full, that is, the token count Tc(0) = BC. Thereafter, the token count Tc is updated CIR times per second as follows:

If Tc is less than BC, Tc is incremented by one, else Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens:

If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else The packet is red and Tc is not decremented. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 267 GLOBAL CONFIGURATION COMMANDS conform-action transmit violate-action

[<0-63>|drop]

Configures the action applied when packets fall within the specified CIR and BC limits transmit Transmits packets falling within the specified CIR and BC limits. This is subject to there being enough tokens to service the packet, in which case the packet is set green. Configures the action applied when packets violate the specified CIR and BC limits

<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets violating the specified CIR and BC limits police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-

16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-

63>|drop]

police

[srtcm-color-aware|

srtcm-color-blind]

<0-1000000>

<0-16000000>

<0-16000000>

Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on single rate three color meter

(srTCM) mode. The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). srtcm-color-blind - Single rate three color meter in color-blind mode srtcm-color-aware - Single rate three color meter in color-aware mode The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.

<0-1000000> Configures the CIR from 0 -1000000 kilobits per second.

<0-16000000> Configures the BC from 0 - 1600000 bytes.

<0-16000000> Configures the BE from 0 - 1600000 bytes. The behavior of the meter is specified in terms of its mode and two token buckets, C and E, which both share the common rate CIR. The maximum size of the token bucket C is BC and the maximum size of the token bucket E is BE. The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows:

If Tc is less than BC, Tc is incremented by one, else If Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode:

If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 268 GLOBAL CONFIGURATION COMMANDS When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-aware mode:

If the packet has been pre-colored as green and Tc(t)-B ? 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else If the packet has been pre-colored as yellow or green and if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CIR and BC, that is, tokens of a given color are always spent on packets of that color. Refer to RFC 2697 for more information on other aspects of srTCM. Configures the action applied when packet rates fall within the specified CIR and BC limits transmit Transmits packets falling within the specified CIR and BC limits Configures the action applied when packet rates exceed the specified CIR and BC limits

<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified CIR and BC limits Configures the action applied when packet rates exceed the specified BE limit

<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified BE limit conform-action transmit exceed-action

[<0-63>|drop]

violate-action

[<0-63>|drop]

police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-

1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-

action [<0-63>|drop]

police

[trtcm-color-aware|

trtcm-color-blind]

<0-1000000>

<0-16000000>

<0-1000000>

<0-16000000>

Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on a two rate three color meter

(trTCM) mode. The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size

(BC) and Peak Burst Size (BP). trtcm-color-blind - Two rate three color meter in color-blind mode trtcm-color-aware - Two rate three color meter in color-aware mode

<0-1000000> Configures the CIR from 0 - 1000000 kilobits per second

<0-16000000> Configures the BC from 0 - 1600000 bytes.

<0-1000000> Configures the PIR from 0 - 1000000 kilobits per second

<0-16000000> Configures the BP from 0 - 1600000 bytes The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 269 GLOBAL CONFIGURATION COMMANDS The behavior of the meter is specified in terms of its mode and two token buckets, P and C, which are based on the rates PIR and CIR, respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) =

BP and the token count Tc(0) = BC. Thereafter, the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode:

If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else The packet is green and both Tp and Tc are decremented by B. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode:

If the packet has been pre-colored as red or if Tp(t)-B < 0, the packet is red, else if the packet has been pre-colored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B. The trTCM can be used to mark a IP packet stream in a service, where different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM. Configures the action applied when packet rates fall within the specified CIR and BP limits transmit Transmits packets falling within the specified CIR and BC limits Configures the action applied when packet rates exceed the specified CIR limit, but are within the specified PIR limit

<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified CIR and BC limit Configures the action applied when packet rates exceed the specified PIR limit

<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified BE limit conform-action transmit exceed-action

[<0-63>|drop]

violate-action

[<0-63>|drop]

Usage Guidelines When configuring the traffic class enforcer parameters, take into consideration the following factors:

You can configure up to 200 enforcers/policers (i.e., class maps) for ingress ports. The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 270 GLOBAL CONFIGURATION COMMANDS Example The following example uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-

action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Related Commands no Removes the traffic enforcer settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 271 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.4 set ex3500-qos-policy-map-class-config commands Sets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packets Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax set [cos <0-7>|ip dscp <0-63>|phb <0-7>]

Parameters set [cos <0-7>|ip dscp <0-63>|phb <0-7>]

set cos <0-7>

ip dscp <0-63>

phb <0-7>

Sets the match criteria used to identify and classify traffic into different classes. The match criteria options are: CoS, IP DSCP, and PHB values. Configures the CoS value for a matching packet (as specified by the match command) in the packets VLAN tag

<0-7> Specify a value from 0 - 7. The CoS is modified to the value specified here. Modifies the IP DSCP value in a matching packet (as specified by the match command)

<0-63> Specify a value from 0 - 63. The DSCP value is modified to the value specified here. Configures a PHB value for a matching packets

<0-7> Specify a value from 0 -7. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green, yellow, or red as per the following:

green if it does not exceed the CIR and BC limits yellow if it exceeds the CIR and BC limits, but not the BE limit, and red otherwise. Example The following example uses the set > phb command to classify the service that incoming packets will receive, and then uses the police > trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#set phb 3 nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-

test2)#police trtcm-color-blind 100000 4000 1000000 6000 conform-action transmit exceed-action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#show context class test2 set phb 3 police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-

action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 272 GLOBAL CONFIGURATION COMMANDS The following example uses the set > ip dscp command to classify the service that incoming packets will receive, and then uses the police > flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets:

nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#set ip dscp 3 nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp set ip dscp 3 police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Related Commands no Removes CoS value, PHB value, or IP DSCP value from this traffic class Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 273 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.5 no ex3500-qos-policy-map-class-config commands Removes this traffic classifications settings Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax no [police|set]

no police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-

color-blind]

no set [cos|ip dscp|phb]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this traffic class settings based on the parameters passed Example nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp set ip dscp 3 police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no set ip dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no police flow nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 274 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.6 description ex3500-qos-policy-map config commands Configures this EX3500 QoS policy map's description Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax description <LINE>

Parameters description <LINE>

description <LINE>

Configures this EX3500 QoS policy map's description

<LINE> Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters) Example nx9500-6C8809(config-ex3500-qos-policy-map-test)#description "This is a test EX3500 QoS Policy Map"

nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map"

class test nx9500-6C8809(config-ex3500-qos-policy-map-test)#

Related Commands no Removes this EX3500 QoS policy map's description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 275 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.7 no ex3500-qos-policy-map config commands Removes this EX3500 QoS policy map's settings. Use this keyword to remove the description and to remove the QoS traffic classification created. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax no [class <EX3500-QoS-POLICY-MAP-NAME>|description]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this EX3500 QoS policy map's settings based on the parameters passed Example The following example shows the EX3500 QoS policy map test settings before the no command are executed:

nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map"

class test nx9500-6C8809(config-ex3500-qos-policy-map-test)#

nx9500-6C8809(config-ex3500-qos-policy-map-test)#no description nx9500-6C8809(config-ex3500-qos-policy-map-test)#no class test The following example shows the EX3500 QoS policy map test settings after the no command are executed:

nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test nx9500-6C8809(config-ex3500-qos-policy-map-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 276 GLOBAL CONFIGURATION COMMANDS 4.1.51 ex3524 Global Configuration Commands Adds a EX3524 switch to the network The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. To enable layer 3 adoption of the logged EX3524 switch to a NOC controller, navigate to the EX3524 switchs device configuration mode and execute the following command: controller > host > <IP/

HOSTANME>. EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/

1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-

based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources. Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3524 <DEVICE-EX3524-MAC>

Parameters ex3524 <DEVICE-EX3524-MAC>

<DEVICE-EX3524-MAC>

Specifies the MAC address of a EX3524 switch Example nx9500-6C8809(config)#ex3524 A1-C4-33-6D-66-07 nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#?

EX35xx Device Mode commands:

hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power EX3500 Power over Ethernet Command remove-override Remove configuration item override from the device (so profile value takes effect) upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 277 GLOBAL CONFIGURATION COMMANDS service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#

Related Commands no Removes a EX3524 switch from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 278 GLOBAL CONFIGURATION COMMANDS 4.1.52 ex3548 Global Configuration Commands Adds a EX3548 switch to the network The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax ex3548 <DEVICE-EX3548-MAC>

Parameters ex3548 <DEVICE-EX3548-MAC>

<DEVICE-EX3548-

MAC>

Specifies the MAC address of a EX3548 switch Example nx9500-6C8809(config)#ex3548 22-65-78-09-12-35 nx9500-6C8809(config-device-22-65-78-09-12-35)#?

EX35xx Device Mode commands:

hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power EX3500 Power over Ethernet Command remove-override Remove configuration item override from the device (so profile value takes effect) upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-22-65-78-09-12-35)#

Related Commands no Removes a EX3548 switch from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 279 GLOBAL CONFIGURATION COMMANDS 4.1.53 firewall-policy Global Configuration Commands Configures a firewall policy. This policy defines a set of rules for managing network traffic and prevents unauthorized access to the network behind the firewall. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax firewall-policy <FIREWALL-POLICY-NAME>

Parameters firewall-policy <FIREWALL-POLICY-NAME>

<FIREWALL-POLICY-

NAME>

Specify the firewall policy name. If a firewall policy does not exist, it is created. Example rfs6000-81742D(config)#firewall-policy test rfs6000-81742D(config-fw-policy-test)#?

Firewall policy Mode commands:

acl-logging Log on flow creating traffic alg Enable ALG clamp Clamp value dhcp-offer-convert Enable conversion of broadcast dhcp offers to unicast dns-snoop DNS Snooping firewall Wireless firewall flow Firewall flow ip Internet Protocol (IP) ip-mac Action based on ip-mac table ipv6 Internet Protocol version 6 (IPv6) ipv6-mac Action based on ipv6-mac table logging Firewall enhanced logging no Negate a command or set its defaults proxy-arp Enable generation of ARP responses on behalf of another device proxy-nd Enable generation of ND responses (for IPv6) on behalf of another device stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall storm-control Storm-control virtual-defragmentation Enable virtual defragmentation for IPv4 packets (recommended for proper functioning of firewall) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 280 GLOBAL CONFIGURATION COMMANDS terminal rfs6000-81742D(config-fw-policy-test)#

Related Commands no Removes an existing firewall policy NOTE: For more information on Firewall policy, see Chapter 13, FIREWALL-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 281 GLOBAL CONFIGURATION COMMANDS 4.1.54 global-association-list Global Configuration Commands Configures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are either allowed or denied access to the managed network. The global association list serves the same purpose as an Association Access Control List (ACL). However, the Association ACL allows a limited number of entries, a few thousand only, and does not suffice the requirements of a large deployment. This gap is filled by a global association list, which is much larger

(with tens of thousands of entries). Both lists co-exist in the system. When an access request comes in, the association ACL is looked up first and if the requesting MAC address is listed in one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in case none of the ACLs list the clients MAC address, the global association ACL is checked. Once authenticated, the clients credentials are cached on the access point, and subsequent requests are not referenced to the controller. An entry in an APs credential cache means a pass in the global association list. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax global-association-list <GLOBAL-ASSOC-LIST-NAME>

Parameters global-association-list <GLOBAL-ASSOC-LIST-NAME>

<GLOBAL-ASSOC-

LIST-NAME>

Specify the global association list name. If a list with the same name does not exist, it is created. Map this global association list to a device (controller) or a controller profile. Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use. The global association list can also be mapped to a WLAN. The usage of global access lists is controlled on a per-WLAN basis. For more information, see association-list. Example rfs4000-229D58(config)#global-association-list my-clients rfs4000-229D58(config-global-assoc-list-my-clients)#?

Global Association List Mode commands:

default-action Configure the default action when the client MAC does not match any rule deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 282 GLOBAL CONFIGURATION COMMANDS show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-global-assoc-list-my-clients)#

To enable global-association-list controlled client association, execute the following commands:

1 Create a global association list, and configure it as shown in the following examples:

rfs4000-229D58(config)#global-association-list vtt-list rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description sample rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description acer rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description ami rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description mac rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description my_mobile rfs4000-880DA7(config-global-assoc-list-vtt-list)#show context global-association-list vtt-list default-action deny permit 01-22-33-44-55-66 description sample permit 40-B8-9A-39-F1-27 description acer permit 42-B8-9A-39-F1-27 description ami permit 6C-40-08-B2-80-6C description mac permit E0-98-61-34-11-47 description my_mobile rfs4000-880DA7(config-global-assoc-list-vtt-list)#

2 Attach this global association list to the profile or device context of the access point or controller, as shown in the following examples:

3 On the access points profile context:

Note: Ensure that the global association list is associated with the profile being applied on the access point. rfs4000-880DA7(config-profile-testAP6522)#use global-association-list server vtt-list rfs4000-880DA7(config-profile-testAP6522)#show context include-factory |

include g lobal-association-list service global-association-list blacklist-interval 60 use global-association-list server vtt-list rfs4000-880DA7(config-profile-testAP6522)#

4 On the access points device context:

ap6522(config-device-B4-C7-99-EA-DF-2C)#use global-association-list server vtt-list ap6522 (config-device-B4-C7-99-EA-DF-2C)#show context include-factory | in clude global-association-list use global-association-list server vtt-list ap6522(config-device-B4-C7-99-EA-DF-2C)#

5 On the controllers device context:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 283 GLOBAL CONFIGURATION COMMANDS rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-list rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#show context include-factory

| in clude global-association-list use global-association-list server vtt-list ap6522(config-device-B4-C7-99-EA-DF-2C)#

6 Attach this global association list with the WLAN, as shown in the following example:

rfs4000-880DA7(config-wlan-GLAssList)#association-list global vtt-list rfs4000-880DA7(config-wlan-GLAssList)#show context include-factory | include association-list association-list global vtt-list rfs4000-880DA7(config-wlan-GLAssList)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 284 GLOBAL CONFIGURATION COMMANDS 4.1.55 guest-management Global Configuration Commands The following table summarizes the guest management policy configuration mode commands:

Table 4.35 Guest-Management Policy Config Command Command guest-management guest-management-

mode commands Description Creates a guest management policy and enters its configuration mode Summarizes guest management policy configuration mode commands Reference page 4-286 page 4-287 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 285 GLOBAL CONFIGURATION COMMANDS 4.1.55.1 guest-management guest-management Configures a guest management policy that redirects guest users to a registration portal upon association to a captive portal. Guest users are redirected to an internally (or) externally hosted registration page

(registration.html) where previously, not-registered guest users can register. The internally hosted captive portal registration page can be customized based on business requirements. Use the guest management policy commands to configure parameters, such as E-mail host and SMS gateway along with the credentials required for sending pass code to guest via e-mail and SMS. You can configure up to 32 different guest management policies. Each guest management policy allows you to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents, and E-mail message body. Although, at any point-in-time, multiple guest management policies may exist, only one guest management policy can be active per device. Guest registration is supported only on the NX95XX and NX7500 series service platforms. However, the number of user identity entries supported on each varies. It is 2 million and 1 million user-identity entries for the NX95XX and NX75XX model service platforms respectively. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-management <POLICY-NAME>

Parameters guest-management <POLICY-NAME>

<POLICY-NAME>

Specify the guest management policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#guest-management guest nx9500-6C8809(config-guest-management-guest)#?

Guest Management Mode commands:

email Email guest-notification configuration guest-database-backup Configure guest-database-backup parameters guest-database-export Configure guest-database-export parameters no Negate a command or set its defaults sms SMS guest-notification configuration sms-over-smtp Sms-over-smtp configuration to email sms gateway address clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-guest-management-guest)#

Related Commands no Removes an existing guest management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 286 GLOBAL CONFIGURATION COMMANDS 4.1.55.2 guest-management-mode commands guest-management The following table summarizes guest management policy configuration mode commands:

Table 4.36 Guest-Management-Policy-Config-Mode Commands Description Configures guest user e-mail notification settings Enables periodic backup of the captive portals guest registration user database Command email guest-

database-

backup guest-

database-

export sms sms-over-smtp Configures an e-mail host server along with sender credentials and the Schedules an export of the Guest Management User database to a specified external server Configures guest user SMS notification settings recipients gateway e-mail address to which the message is e-mailed. The gateway server converts the e-mail into SMS and forwards the message to the guest userss mobile device. Removes this guest management policy settings no Reference page 4-288 page 4-290 page 4-291 page 4-292 page 4-294 page 4-296 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 287 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.1 email guest-management-mode commands Configures guest user e-mail notification settings. When configured, guest users can register themselves with their e-mail credentials as a primary key for authentication. The captive portal system provides the pass code for their registration. Guest users need to use their registered e-mail, mobile, or member ID and the received pass code for subsequent logins to the captive portal. This option is disabled by default. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax email [host|message|subject]

email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security

[none|ssl|starttls] username <USER-NAME> password <PASSWORD>

email message <LINE>

email subject <LINE>

Parameters email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security

[none|ssl|starttls] username <USER-NAME> password <PASSWORD>

email host

[<IP/HOSTNAME>|

<HOST-ALIAS-

NAME>]

sender

<EMAIL-ADDRESS>

security

[none|ssl|starttls]

username

<USER-NAME>

Configures guest user e-mail notification settings Configures the SMTP servers IP address or hostname used for guest management e-

mail traffic, guest user credential validation, and pass code reception. Optionally you can use an existing host alias to identify the SMTP server host.

<IP/HOSTNAME> Specify the SMTP servers IPv4 address or hostname.

<HOST-ALIAS-NAME> Specify the host alias name (should be existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname. Configures the senders name for the guest user receiving the passcode required for registering their guest E-mail credentials using SMTP.

<EMAIL-SENDER> Specify the senders name (should not exceed 100 characters). Configures the encryption protocol used by the SMTP server when communicating the pass code none No encryption used. Use if no additional user authentication is needed beyond the required username and password combination. SSL Uses SSL encryption. This is the default setting. STARTTLS Uses STARTTLS encryption Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.

<USER-NAME> Specify the username (should not exceed 100 characters). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 288 GLOBAL CONFIGURATION COMMANDS password

<PASSWORD>

Configures the password associated with the specified SMTP user name

<PASSWORD> Specify the password (should not exceed 63 characters). email message <LINE>

email message <LINE>

Configures guest user e-mail notification content Configures the content of the e-mail sent to the guest user notifying the pass code

(should not exceed 1024 characters)

<LINE> Specify the message content. When entering the message, use the following tags:

GM-NAME for the guest users name GM_PASSCODE for the pass code CR-NL to enter a new line For example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this for internet access. email subject <LINE>

email subject <LINE>

Configures guest user e-mail notification subject line Configures the subject line of the e-mail sent to the guest user notifying the pass code

(should not exceed 100 characters)

<LINE> Specify the subject line content. When entering the subject line, use the following tag:

GM-NAME for the guest users name For example: GM_NAME, your internet access code Example nx9500-6C8809(config-guest-management-test)#email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 nx9500-6C8809(config-guest-management-test)#show context guest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 nx9500-6C8809(config-guest-management-test)#

nx9500-6C8809(config-guest-management-test2)#email message Dear GM_Guest2, CR-NL Your internet access passcode is GM_Guest2. CR-NL Use this for internet access. nx9500-6C8809(config-guest-management-test2)#email subject GM_Guest2 Your internet access code nx9500-6C8809(config-guest-management-test2)#show context guest-management test2 email subject GM_Guest2 Your internet access code email message Dear GM_Guest2, CR-NL Your internet access passcode is GM_Guest2. CR-NL Use this for internet access. nx9500-6C8809(config-guest-management-test2)#

Related Commands no Removes the e-mail settings used to send notification mails to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 289 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.2 guest-database-backup guest-management-mode commands Enables periodic backup of a captive portals guest registration user database. This option is enabled by default. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-database-backup enable {<TIME>}

Parameters guest-database-backup enable {<TIME>}

guest-database-

backup enable

<TIME>

Enables periodic backup of a captive portals guest registration user database. This command also allows you to configure the time at which the system starts backing up the database. The default backup-start time is 00:00 (midnight every day).

<TIME> Optional. Resets the periodic database backup-start time to a user-defined value in the HH;MM format. When specified, the system starts periodic backup of the database, every day, at the specified time. Example nx9500-6C8809(config-guest-management-test)#guest-database-backup enable 12:30 vnx9500-6C8809(config-guest-management-test)#show context guest-management test guest-database-backup enable 12:30 nx9500-6C8809(config-guest-management-test)#

Related Commands no Disables periodic backup of a captive portals guest registration user database Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 290 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.3 guest-database-export guest-management-mode commands Schedules an export of the Guest Management user database to a specified external server. This option is enabled by default. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-database-export <TIME> frequency <1-168> url-directory <URL> {(format

[csv|json]|last-visit-within <1-168>)}

Parameters guest-database-export <TIME> frequency <1-168> url-directory <URL> {(format

[csv|json]|last-visit-within <1-168>)}

guest-database-

export <TIME>

frequency <1-168>

Schedules an export of the Guest Management User collection to an external server

<TIME> Configures the start time of the export operation in the HH:MM format Configures the user collection export frequency in hours

<1-168> Configures the frequency from 1 - 168 hours. If the frequency is set at 3 hours, the user database is exported once in every 3 hours. The default is 4 hours. url-directory <URL>

format [csv|json]

Configures external servers URL and directory to where the collection is exported

<URL> Specify the external servers URL Optional. Configures the file format csv Exports collection to the specified location in CSV format. This is the default last-visit-within

<1-168>

setting. json Exports collection to the specified location in JSON format Configures a filters guest users who have last visited within a specified period of time

<1-168> Specify a time period from 1 - 168 hours. If for example, the last-visit-within value is set at 2 hours, then only the last two hours guest user collections will be exported. The default is 4 hours. Example nx9500-6C8809(config-guest-management-gm1)#guest-database-export 10:30 frequency 6 url-directory ftp://admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit

-within 168 nx9500-6C8809(config-guest-management-test)#show context guest-management test guest-database-export 12:30 frequency 20 url-directory ftp://

admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit-within 168 nx9500-6C8809(config-guest-management-test)#

Related Commands no Reverts the guest database export parameters to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 291 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.4 sms guest-management-mode commands Configures guest user SMS notification settings When configured, guest users can register themselves with their e-mail or mobile device ID as the primary key for authentication. The captive portal provides the pass code for registration. Guest users use their registered e-mail or mobile device ID and the received pass code for subsequent logins to the captive portal. NOTE: When using SMS, ensure that the WLANs mode of authentication is set to none and the mode of registration is set to user. In other words, captive portal authentication must always enforce guest registration. SMS is similar to MAC address-based self registration, but in addition the captive portal sends an SMS message, containing an access code, to the users mobile phone number provided at the time of registration. The captive portal verifies the code, returns the Welcome page and provides access. This allows the administrator to verify the phone number provided and can be traced back to a specific individual should the need arise. The default gateway used with SMS is Clickatell. A pass code can be sent with SMS to the guest user directly using Clickatell, or the pass code can be sent via e-mail to the SMS Clickatell gateway server, and Clickatell sends the pass code SMS to the guest user. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sms [host|message]

sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-agent

<PYCLICKATELL> {source-number <WORD>}

sms message <LINE>

Parameters sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-

agent <PYCLICKATELL> {source-number <WORD>}

sms host clickatell username

<USER-NAME>

password

<PASSWORD>

api-id <ID>

Configures guest user SMS notification settings By default, clickatell is the host SMS gateway server resource. Upon receiving the pass code e-mail, the SMS gateway sends the actual notification pass code SMS to the guest user. Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.

<USER-NAME> Specify the username (should not exceed 32 characters). Configures the password associated with the specified username

<PASSWORD> Specify the password (should not exceed 63 characters). Set a 32 character maximum API ID

<API-ID> Specify the API ID (should not exceed 32 characters). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 292 GLOBAL CONFIGURATION COMMANDS user-agent

<PYCLICKATELL>

source-number

<WORD>

Since the SMS service provider by default is Clickatell, set the user agent name to pyclickatell. The user-agent value ensures the Clickatell SMS gateway server and its related credentials, needed for sending the pass code to guest users, are configured. Optional. Configures the long-address or the from-number associated with this Clickatell user account

<WORD> Specify the source number (should not exceed 32 characters). sms message <LINE>

SMS message <LINE>

Configures guest user SMS notification content Configures the content of the SMS sent to the guest user notifying the pass code

(should not exceed 1024 characters)

<LINE> Specify the message content. When entering the message, use the following tags:

GM-NAME for the guest users name GM_PASSCODE for the pass code For example: Dear GM_NAME, your internet access pass code is GM_PASSCODE. Example nx9500-6C8809(config-guest-management-test)#sms host clickatell username guest1 password guest1@123 api-id test user-agent pyclickatell nx9500-6C8809(config-guest-management-test)#sms message Dear guest1, Your passcode for internet access is GM-guest1 nx9500-6C8809(config-guest-management-test)#show context guest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 sms host clickatell username guest1 password guest1@123 api-id test user-agent pyclickatell sms message Dear guest1, Your passcode for internet access is GM-guest1 nx9500-6C8809(config-guest-management-test)#

Related Commands no Removes the SMS settings used to send SMS to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 293 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.5 sms-over-smtp guest-management-mode commands Configures an e-mail host server (for example: smtp.gmail.com) along with sender related credentials and the recipient gateway e-mail address to which the message is E-mailed. The gateway server converts the e-mail into SMS and sends the message to the guest userss mobile device. When sending an e-mail, the e-mail client interacts with a SMTP server to handle the content transmission. The SMTP server on the host may have conversations with other SMTP servers to deliver the e-mail. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sms-over-smtp [host|message|subject]

sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS>

security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient

<EMAIL-ADDRESS>

sms-over-smtp message <LINE>

sms-over-smtp subject <LINE>

Parameters sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS>

security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient

<EMAIL-ADDRESS>

sms-over-smtp host

[<IP/HOSTNAME>|

<HOST-ALIAS-

NAME>]

Configures guest user SMS over SMTP notification settings Configures the SMS gateway server resources IPv4 address or hostname used for guest management SMS over SMTP traffic, guest user credential validation and pass code reception. Optionally you can use an existing host alias to identify the SMS gateway server resource.

<IP/HOSTNAME> Specify the SMTP gateway server resources IP address or sender

<EMAIL-ADDRESS>

security

[none|ssl|starttls]

hostname.

<HOST-ALIAS-NAME> Specify the host alias name (should existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname. Configures the senders e-mail address. The sender here is the guest user receiving the pass code. Guest users require this pass code for registering their guest e-mail credentials using SMTP.

<EMAIL-ADDRESS> Specify the e-mail address (should not exceed 64 characters). Configures the encryption protocol used by the SMTP server when communicating the pass code none No encryption used. Use if no additional user authentication is needed beyond the required username and password combination. SSL Uses SSL encryption. This is the default setting. STARTTLS Uses STARTTLS encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 294 GLOBAL CONFIGURATION COMMANDS username

<USER-NAME>

password

<PASSWORD>

recipient

<EMAIL-ADDRESS>

Configures a username unique to this SMTP guest management configuration. After configuring the username, specify the associated password. Ensure that the correct password is provided to receive the pass code required for registering guest user credentials with SMTP.

<USER-NAME> Specify the username (should not exceed 64 characters). Configures the password associated with the specified SMTP user name

<PASSWORD> Specify the password (should not exceed 64 characters). Configures the e-mail recipient's e-mail address

<EMAIL-ADDRESS> Specify the recipients e-mail address (should not exceed 64 characters in length. sms-over-smtp message <LINE>

sms-over-smtp message <LINE>

Configures guest user SMS over SMTP notification message content Configures the content of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 1024 characters)

<LINE> Specify the message content. When entering the message, use the following tags:

GM-NAME for the guest users name GM_PASSCODE for the pass code CR-NL to enter a new line For example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this access code for internet access. sms-over-smtp subject <LINE>

sms-over-smtp subject <LINE>

Configures guest user e-mail notification subject line content Configures the subject line of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 100 characters)

<LINE> Specify the subject line content. When entering the subject line, use the following tag:

GM-NAME for the guest users name For example: GM_NAME, your internet access code Example nx9500-6C8809(config-guest-management-test3)#sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#

Related Commands no Removes the SMS over SMTP settings used to send SMS to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 295 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.6 no guest-management-mode commands Removes this guest management policy settings Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [email|guest-database-backup|guest-database-export|sms|sms-over-smtp]

no email [host|message|subject]

no guest-database-backup enable no guest-database-export no gmd report-generation enable no sms [host|message]

no sms-over-smtp [host|message|subject]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this guest management policy settings based on the parameters passed Example nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#

nx9500-6C8809(config-guest-management-test)#no sms-over-smtp host nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 nx9500-6C8809(config-guest-management-test3)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 296 GLOBAL CONFIGURATION COMMANDS 4.1.56 host Global Configuration Commands Enters the configuration context of a remote device using its hostname Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax host <DEVICE-NAME>

Parameters host <DEVICE-NAME>

<DEVICE-NAME>

Specify the devices hostname. All discovered devices are displayed when Tab is pressed to auto complete this command. Example rfs4000-229D58(config)#host rfs4000-229D58 rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 297 GLOBAL CONFIGURATION COMMANDS 4.1.57 inline-password-encryption Global Configuration Commands Stores the encryption key in the startup configuration file By default, the encryption key is not stored in the startup-config file. Use the inline-password-encryption command to move the encrypted key to the startup-config file. This command uses the master key to encrypt the password, then moves it to the startup-config file. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax inline-password-encryption Parameters None Usage Guidelines When the configuration file is imported to a different device, it first decrypts the encryption key using the default key and then decrypts the rest of the configuration using the administrator configured encryption key. Example The following command uses the specified password for encryption key and stores it outside of startup-config:

rfs6000-81742D(config)#password-encryption secret 2 12345678 rfs6000-81742D(config)#commit write memory The following command moves the same password to the startup-config and encrypts it with the master key:

rfs6000-81742D(config)#inline-password-encryption Related Commands no password-encryption Disables storing of the encryption key in the startup configuration file Enables password encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 298 GLOBAL CONFIGURATION COMMANDS 4.1.58 ip Global Configuration Commands Creates a IP access control list (ACL) and/or a SNMP IP ACL Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [access-list|snmp-access-list]

ip access-list <IP-ACL-NAME>

ip snmp-access-list <IP-SNMP-ACL-NAME>

Parameters ip access-list <IP-ACL-NAME>

access-list

<IP-ACL-NAME>

Creates an IP ACL and enters its configuration mode

<IP-ACL-NAME> Specify the ACL name. If the access list does not exist, it is created. ip snmp-access-list <IP-SNMP-ACL-NAME>

snmp-access-list

<IP-SNMP-ACL-

NAME>

Creates a SNMP IP ACL and enters its configuration mode. An SNMP IP ACL is an access control mechanism that uses a combination of IP ACL and SNMP community string. SNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files. Use SNMP ACLs (firewalls) to help reduce SNMPs vulnerabilities, as SNMP traffic can be easily exploited to produce a denial of service (DoS).

<IP-SNMP-ACL-NAME> Specify the SNMP IP ACL name. If the access list does not exist, it is created. After creating the SNMP ACL, define the deny/permit rules based on the network and/or host IP addresses. Once created and configured, link this SNMP IP ACL with a SNMP community string. To link the SNMP community string with the SNMP IP ACL, in the management-

policy-config-mode, use the following command: snmp-server > community

<COMMUNITY-STRING> > [ro|rw] > ip-snmp-access-list <IP-SNMP-ACL-NAME>. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 299 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#ip access-list test rfs6000-81742D(config-ip-acl-test)#?

ACL Configuration commands:

deny Specify packets to reject disable Disable rule if not needed no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-ip-acl-test)#

rfs6000-81742D(config)#ip snmp-access-list SNMPAcl rfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#?

SNMP ACL Configuration commands:

deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#

Related Commands no Removes an IP access control list NOTE: For more information on access control lists, see Chapter 11, ACCESS-

LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 300 GLOBAL CONFIGURATION COMMANDS 4.1.59 ipv6 Global Configuration Commands Creates a IPv6 ACL An IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 access-list <IPv6-ACL-NAME>

Parameters ipv6 access-list <IPv6-ACL-NAME>

access-list

<IPv6-ACL-NAME>

Configures an IPv6 access list and enters its configuration mode

<IPv6-ACL-NAME> Specify the IPv6 ACL name. If the access list does not exist, it is created. Example rfs4000-229D58(config)#ipv6 access-list IPv6ACLTest rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#?

IPv6 Access Control Mode commands:

deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#

Related Commands no Removes an IPv6 access control list NOTE: For more information on access control lists, see Chapter 11, ACCESS-

LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 301 GLOBAL CONFIGURATION COMMANDS 4.1.60 ipv6-router-advertisement-policy Global Configuration Commands The following table lists the IPv6 router advertisement (RA) policy configuration commands:

Table 4.37 IPv6-Router-Advertisement-Policy-Config Commands Description Creates a new IPv6 RA policy and enters its configuration mode Reference page 4-303 Summarizes the IPv6 RA policy configuration mode commands page 4-305 Command ipv6-router-

advertisement-

policy ipv6-router-

advertisement-

policy-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 302 GLOBAL CONFIGURATION COMMANDS 4.1.60.1 ipv6-router-advertisement-policy ipv6-router-advertisement-policy Creates an IPv6 RA policy and enters its configuration mode An IPv6 router policy allows routers to advertise their presence in response to solicitation messages. After receiving a neighbor solicitation message, the destination node sends an advertisement message. which includes the link layer address of the source node. After receiving the advertisement, the destination device replies with a neighbor advertisement message on the local link. After the source receives the advertisement it can communicate with other devices. Advertisement messages are also sent to indicate a change in link layer address for a node on the local link. With such a change, the multicast address becomes the destination address for advertisement messages. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6-router-advertisement-policy <POLICY-NAME>

Parameters ipv6-router-advertisement-policy <POLICY-NAME>

ipv6-router-

advertisement-policy

<POLICY-NAME>

Specify an IPv6 RA policy name. If the policy does not exist, it is created. Example rfs4000-229D58(config)#ipv6-router-advertisement-policy test rfs4000-229D58(config-ipv6-radv-policy-test)#?

IPv6 Router Advertisement Policy Mode commands:

advertise Option to advertise in router advertisement assist-neighbor-discovery Send the Source Link Layer address option in Router Advertisement to assist in neighbor discovery check-ra-consistency Check if the parameters advertised by other routers on the link are in conflict with those configured on this router. Conflicts are logged. dns-server DNS Server domain-name Configure domain-name managed-config-flag Set the managed-address-configuration flag in Router Advertisements. When set, it indicates that the addresses are available via DHCPv6 nd-reachable-time Time that a node assumes a neighbor is reachable after having received a reachability confirmation no Negate a command or set its defaults ns-interval Time between retransmitted Neighbor Solicitation messages other-config-flag Set the other-configuration flag in Router Advertisements. When set, it indicates that other configuration information is Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 303 GLOBAL CONFIGURATION COMMANDS available via DHCPv6. ra Router Advertisements router-lifetime Lifetime associated with the default router router-preference Preference of this router over other routers unicast-solicited-advertisement Unicast the solicited Router Advertisements clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-ipv6-radv-policy-test)#

Related Commands no Removes the specified IPv6 RA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 304 GLOBAL CONFIGURATION COMMANDS 4.1.60.2 ipv6-router-advertisement-policy-mode commands ipv6-router-advertisement-policy The following table summarizes IPv6 router advertisement policy configuration commands:

Table 4.38 IPv6-Router-Advertisement-Policy-Config-Mode Commands Description Enables advertisement of IPv6 maximum transmission unit (MTU) and hop-count value in RAs Enables advertisement of the source link layer address in RAs Reference page 4-306 page 4-307 Enables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same link Configures the DNS servers IPv6 address and lifetime advertised in RAs page 4-309 page 4-310 Configures the Domain name search label advertised in RAs page 4-311 Sets the managed address configuration flag in RAs page 4-308 Enables advertisement of neighbor reachable time in RAs Removes or reverts router advertisement policy settings Configures the interval between two successive retransmitted neighbor solicitation (NS) messages other-config-flag Sets the other-configuration flag in RAs ra Configures RA related parameters, such as the interval between two unsolicited successive RAs Configures the default routers lifetime, in seconds, advertised in RAs router-lifetime router-preference Configures the router preference field value advertised in RAs unicast-solicited-

advertisement Enables unicasting of solicited RAs page 4-312 page 4-313 page 4-314 page 4-315 page 4-316 page 4-317 page 4-318 page 4-319 Command advertise assist-neighbor-

discovery check-ra-

consistency dns-server domain-name managed-config-

flag nd-reachable-

time no ns-interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 305 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.1 advertise ipv6-router-advertisement-policy-mode commands Enables advertisement of IPv6 MTU and hop-count value in RAs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax advertise [hop-limit|mtu]

Parameters advertise [hop-limit|mtu]

advertise

[hop-limit|mtu]

Enables advertisement of IPv6 MTU and hop-count value in RAs. Both these features are disabled by default. Example rfs6000-81742D(config-ipv6-radv-policy-test)#advertise hop-limit rfs6000-81742D(config-ipv6-radv-policy-test)#advertise mtu rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Disables advertisement of IPv6 MTU and hop-count value in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 306 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.2 assist-neighbor-discovery ipv6-router-advertisement-policy-mode commands Enables advertisement of the source link layer address in RAs to facilitate neighbor discovery. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assist-neighbor-discovery Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#assist-neighbor-discovery Related Commands no Disables the advertisement of the source link layer address in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 307 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.3 check-ra-consistency ipv6-router-advertisement-policy-mode commands Enables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same link. If the values advertised are inconsistent, a conflict is logged. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax check-ra-consistency Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Disables comparison of interface-specific parameters advertised by other routers, within the link, with those advertised with this router Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 308 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.4 dns-server ipv6-router-advertisement-policy-mode commands Configures the DNS servers IPv6 address and lifetime. The configured values are advertised in RAs. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}

Parameters dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}

dns-server <IPv6>

lifetime [<4-

3600>|expired|infinit e]

Configures the DNS servers IPv6 address Enables the use of a DNS server to resolve host names to IPv6 addresses. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution.

<IPv6> Specify the DNS servers address. This address is advertised in RAs. A maximum of four (4) entries can be made per policy. Optional. Configures the DNS servers (identified by the <IPv6> parameter) lifetime

<4-3600> Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds. expired Advertises that this DNS servers lifetime has expired and should not be used infinite Advertises that this DNS servers lifetime is infinite Example rfs6000-81742D(config-ipv6-radv-policy-test)#dns-server 2002::2 lifetime 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Removes the DNS server settings advertised in RAs. Once removed these values are not advertised in RAs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 309 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.5 domain-name ipv6-router-advertisement-policy-mode commands Configures the Domain name search label advertised in RAs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}

Parameters domain-name

<WORD>

domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}

Configures the Domain name search label advertised in RAs Enter a fully qualified domain name (FQDN), which is an unambiguous domain name available in a router advertisement resource. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com.

<WORD> Specify the Domain name search label. A maximum of four (4) entries can be made per policy. lifetime [<4-3600>|

expired|infinite]

Optional. Configures the Domain name search label's lifetime

<4-3600> Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds. expired Advertises that this Domain name search label's lifetime has expired and should not be used infinite Advertises that this Domain name search label's lifetime is infinite Example rfs6000-81742D(config-ipv6-radv-policy-test)#domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Removes the Domain name settings advertised in RAs. Once removed these values are not advertised in RAs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 310 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.6 managed-config-flag ipv6-router-advertisement-policy-mode commands Sets the managed address configuration flag in RAs. When set, it indicates that IPv6 addresses are available through DHCPv6. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax managed-config-flag Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#managed-config-flag rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Removes the managed address configuration flag advertised in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 311 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.7 nd-reachable-time ipv6-router-advertisement-policy-mode commands Enables advertisement of neighbor discovery reachable time in RAs. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nd-reachable-time [<5000-3600000>|global]

Parameters nd-reachable-time [<5000-3600000>|global]

nd-reachable-time

[<5000-3600000>|

global]

Configures the interval, in milliseconds, that a node assumes a neighbor is reachable after receiving a reachability confirmation from the neighbor. Therefore, a neighbor is reachable, after being discovered, for a period specified here. This value is advertised in RAs. Use one of the following options:

<5000-3600000> Configures an interface-specific value. Specify a value from 5000 - 3600000 milliseconds. The default is 5000 milliseconds. global Advertises the neighbor reachable time configured for the system. This is the value configured at the device configuration mode. For more information, see use. Example rfs6000-81742D(config-ipv6-radv-policy-test)#nd-reachable-time 6000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time 6000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Disables advertisement of neighbor reachable time in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 312 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.8 no ipv6-router-advertisement-policy-mode commands Removes or reverts router advertisement policy settings. Use the no command to remove or revert the interface-specific parameters that are advertised by link router. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [advertise [hop-limit|mtu]|assist-neighbor-discovery|check-ra-consistency|

dns-server <IPv6>|domain-name <WORD>|managed-config-flag|nd-reachable-time|

ns-interval|other-config-flag|ra [interval|suppress]|router-lifetime|

unicast-solicited-advertisement]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this IPv6 router advertisement policys settings based on the parameters passed Example rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

rfs6000-81742D(config-ipv6-radv-policy-test)#no managed-config-flag rfs6000-81742D(config-ipv6-radv-policy-test)#no nd-reachable-time rfs6000-81742D(config-ipv6-radv-policy-test)#no check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 313 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.9 ns-interval ipv6-router-advertisement-policy-mode commands Configures the neighbor solicitation (NS) retransmit timer value advertised in RAs. This is the interval between two successive NS messages. When specified, it enables the sending of the specified value in RAs. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ns-interval [<1000-3600000>|global]

Parameters ns-interval [<1000-3600000>|global]

ns-interval

[<1000-3600000>|

global]

Configures the NS interval advertised in RAs. Use one of the following options:

<1000-3600000> Specify a value from 1000 - 3600000 milliseconds. The default is 1000 milliseconds. global Advertises the NS interval configured for the system. This is configured on the device in the device configuration mode. For more information, see ipv6. Example rfs6000-81742D(config-ipv6-radv-policy-test)#ns-interval 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global ns-interval 3000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Disables advertisement of NS interval in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 314 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.10 other-config-flag ipv6-router-advertisement-policy-mode commands Sets the other-configuration flag in RAs. When set, it indicates that other configuration details, such as DNS-related information, are available through DHCPv6. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax other-config-flag Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#other-config-flag Related Commands no Removes the other-config-flag advertised on RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 315 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.11 ra ipv6-router-advertisement-policy-mode commands Configures RA related parameters, such as the interval between two unsolicited successive RAs. It also allows suppression of RAs. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ra [interval <3-1800>|suppress]

Parameters ra [interval <3-1800>|suppress]

interval <3-1800>

suppress Configures the interval, in seconds, between two unsolicited successive RAs

<3-1800> Specify a value from 3 - 1800 seconds. The default is 300 seconds. The router-lifetime should be at least three times the specified router interval. Enables the suppression of RAs. When enabled, the transmission of RAs in IPv6 packets is suppressed. This option is disabled by default. The no > ra > suppress command enables the sending of RAs. Example rfs6000-81742D(config-ipv6-radv-policy-test)#ra interval 200 rfs6000-81742D(config-ipv6-radv-policy-test)#ra suppress rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Removes the RA interval, and enables the sending of RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 316 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.12 router-lifetime ipv6-router-advertisement-policy-mode commands Configures the default routers lifetime, in seconds, advertised in RAs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router-lifetime <0-9000>

Parameters router-lifetime <0-9000>

router-lifetime

<0-9000>

Configures the default routers lifetime

<0-9000> Specify a value from 0 - 9000 seconds. The default value is 1500 seconds. A value of 0 indicates that this router is not the default router. Example rfs6000-81742D(config-ipv6-radv-policy-test)#router-lifetime 2000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Removes the default routers lifetime Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 317 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.13 router-preference ipv6-router-advertisement-policy-mode commands Configures the router preference field value advertised in RAs. The options are high, medium, and low. This value is used to prioritize and select the default router when multiple routers are discovered. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router-preference [high|medium|low]

Parameters router-preference [high|medium|low]

router-preference

[high|medium|low]

Sets this routers preference over other routers, in the link, to be the default router. The options are high, low, and medium. The default value is medium. The following points should be taken into consideration when configuring router preference:

For a router to be selected as a default router, the routers lifetime should not be equal to 0. To enable default router selection, using router information contained in RAs, configure default router selection on that interface. Example rfs6000-81742D(config-ipv6-radv-policy-test)#router-preference high rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 318 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.14 unicast-solicited-advertisement ipv6-router-advertisement-policy-mode commands Enables unicasting of solicited RAs. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax unicast-solicited-advertisement Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#unicast-solicited-advertisement rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 unicast-solicited-advertisement managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#

Related Commands no Disables unicasting of solicited RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 319 GLOBAL CONFIGURATION COMMANDS 4.1.61 l2tpv3 Global Configuration Commands Configures a Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunnel policy, used to create one or more L2TPv3 tunnels The L2TPv3 policy defines the control and encapsulation protocols needed for tunneling layer 2 frames between two IP nodes. This policy enables creation of L2TPv3 tunnels for transporting Ethernet frames between bridge VLANs and physical GE ports. L2TPv3 tunnels can be created between any vendor devices supporting L2TPv3 protocol. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 policy <L2TPV3-POLICY-NAME>

Parameters l2tpv3 policy <L2TPV3-POLICY-NAME>

l2tpv3 policy

<L2TPV3-POLICY-

NAME>

Configures an L2TPv3 tunnel policy

<L2TPV3-POLICY-NAME> Specify a policy name. The policy is created if it does not exist. To modify an existing L2TPv3, specify its name. Example rfs6000-81742D(config)#l2tpv3 policy L2TPV3Policy1 rfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#?

L2tpv3 Policy Mode commands:

cookie-size Size of the cookie field present in each l2tpv3 data message failover-delay Time interval for re-establishing the tunnel after the failover (RF-Domain manager/VRRP-master/Cluster-master failover) force-l2-path-recovery Enables force learning of servers, gateways etc., behind the l2tpv3 tunnel when the tunnel is established hello-interval Configure the time interval (in seconds) between l2tpv3 Hello keep-alive messages exchanged in l2tpv3 control connection no Negate a command or set its defaults reconnect-attempts Maximum number of attempts to reestablish the tunnel. reconnect-interval Time interval between the successive attempts to reestablish the l2tpv3 tunnel retry-attempts Configure the maximum number of retransmissions for signaling message retry-interval Time interval (in seconds) before the initiating a retransmission of any l2tpv3 signaling message rx-window-size Number of signaling messages that can be received without sending the acknowledgement tx-window-size Number of signaling messages that can be sent without receiving the acknowledgement clrscr Clears the display screen commit Commit all changes made in this session Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 320 GLOBAL CONFIGURATION COMMANDS end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#

Related Commands no mint-policy Removes an existing L2TPv3 tunnel policy Configures the global MiNT policy NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 321 GLOBAL CONFIGURATION COMMANDS 4.1.62 mac Global Configuration Commands Configures a MAC ACLs Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac access-list <MAC-ACL-NAME>

Parameters mac access-list <MAC-ACL-NAME>

access-list

<MAC-ACL-NAME>

Configures a MAC access control list

<MAC-ACL-NAME> Specify the MAC ACL name. If the access control list does not exist, it is created. Example rfs6000-81742D(config)#mac access-list test rfs6000-81742D(config-mac-acl-test)#?

MAC Extended ACL Configuration commands:

deny Specify packets to reject disable Disable rule if not needed no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-mac-acl-test)#

Related Commands no Removes a MAC access control list NOTE: For more information on MAC access control lists, see Chapter 11, ACCESS-LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 322 GLOBAL CONFIGURATION COMMANDS 4.1.63 management-policy Global Configuration Commands Configures a management policy. Management policies include services that run on a device, welcome messages, banners, etc. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax management-policy <MANAGEMENT-POLICY-NAME>

Parameters management-policy <MANAGEMENT-POLICY-NAME>

<MANAGEMENT-

POLICY-NAME>

Specify the management policy name. If the policy does not exist, it is created. Example

<DEVICE>(config)#management-policy test

<DEVICE>(config-management-policy-test)#?

Management Mode commands:

aaa-login Set authentication for logins allowed-locations Add allowed locations banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session

(GUI or CLI) ipv6 IPv6 Protocol no Negate a command or set its defaults passwd-retry Lockout user if too many consecutive login failures privilege-mode-password Set the password for entering CLI privilege mode rest-server Enable rest server for device on-boarding functionality restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ssh t5 T5 configuration telnet Enable telnet user Add a user account clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal

<DEVICE>(config-management-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 323 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing management policy NOTE: For more information on Management policy configuration, see Chapter 15, MANAGEMENT-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 324 GLOBAL CONFIGURATION COMMANDS 4.1.64 meshpoint Global Configuration Commands Creates a new meshpoint and enters its configuration mode. Use this command to select and configure existing meshpoints. Supported in the following platforms:

Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint [<MESHPOINT-NAME>|containing <WORD>]

Parameters meshpoint [<MESHPOINT-NAME>|containing <WORD>]

<MESHPOINT-NAME> Specify the meshpoint name. If the meshpoint does not exist, it is created. containing <WORD>

Selects existing meshpoints containing the sub-string <WORD> in their names Example rfs6000-81742D(config)#meshpoint TestMeshpoint rfs6000-81742D(config-meshpoint-TestMeshpoint)#?

Mesh Point Mode commands:

allowed-vlans Set the allowed VLANs beacon-format The beacon format of this meshpoint control-vlan VLAN for meshpoint control traffic data-rates Specify the 802.11 rates to be supported on this meshpoint description Configure a description of the usage of this meshpoint force Force suboptimal paths meshid Configure the Service Set Identifier for this meshpoint neighbor Configure neighbor specific parameters no Negate a command or set its defaults root Set this meshpoint as root security-mode The security mode of this meshpoint shutdown Shutdown this meshpoint use Set setting to use wpa2 Modify ccmp wpa2 related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-meshpoint-TestMeshpoint)#

Related Commands no Removes an existing meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 325 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on Meshpoint configuration, see Chapter 26, MESHPOINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 326 GLOBAL CONFIGURATION COMMANDS 4.1.65 meshpoint-qos-policy Global Configuration Commands Configures a set of parameters that defines the meshpoint quality of service (QoS) policy Supported in the following platforms:

Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>

Parameters meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>

<MESHPOINT-QOS-

POLICY-NAME>

Specify the meshpoint QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#meshpoint-qos-policy TestMeshpointQoS rfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#?

Mesh Point QoS Mode commands:

accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification no Negate a command or set its defaults rate-limit Configure traffic rate-limiting parameters on a per-meshpoint/per-neighbor basis clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#

Related Commands no Removes an existing meshpoint QoS policy NOTE: For more information on Meshpoint QoS policy configuration, see Chapter 26, MESHPOINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 327 GLOBAL CONFIGURATION COMMANDS 4.1.66 mint-policy Global Configuration Commands Configures the global MiNT policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint-policy global-default Parameters mint-policy global-default global-default Configures the global default MiNT policy Example rfs6000-81742D(config)#mint-policy global-default rfs6000-81742D(config-mint-policy-global-default)#?

Mint Policy Mode commands:

level Mint routing level lsp LSP mtu Configure the global Mint MTU no Negate a command or set its defaults router Mint router udp Configure mint UDP/IP encapsulation clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-mint-policy-global-default)#

Related Commands no Removes an existing MiNT policy NOTE: For more information on MiNT policy configuration, see Chapter 14, MINT-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 328 GLOBAL CONFIGURATION COMMANDS 4.1.67 nac-list Global Configuration Commands A Network Access Control (NAC) policy configures a list of devices that can access a network based on their MAC addresses. The following table lists NAC list configuration mode commands:

Table 4.39 NAC-List Config Command Command nac-list nac-list-mode commands Description Creates a NAC list and enters its configuration mode Summarizes NAC list configuration mode commands Reference page 4-330 page 4-331 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 329 GLOBAL CONFIGURATION COMMANDS 4.1.67.1 nac-list nac-list Configures a NAC list that manages access to the network Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nac-list <NAC-LIST-NAME>

Parameters nac-list <NAC-LIST-NAME>

<NAC-LIST-NAME>

Specify the NAC list name. If the NAC list does not exist, it is created. Example rfs6000-81742D(config)#nac-list test rfs6000-81742D(config-nac-list-test)#?

NAC List Mode commands:

exclude Specify MAC addresses to be excluded from the NAC enforcement list include Specify MAC addresses to be included in the NAC enforcement list no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-nac-list-test)#

Related Commands no Removes a NAC list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 330 GLOBAL CONFIGURATION COMMANDS 4.1.67.2 nac-list-mode commands nac-list The following table summarizes NAC list configuration mode commands:

Table 4.40 NAC-List-Mode Commands Command exclude include no Description Specifies the MAC addresses excluded from the NAC enforcement list Specifies the MAC addresses included in the NAC enforcement list Cancels an exclude or include NAC list rule Reference page 4-332 page 4-333 page 4-334 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 331 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.1 exclude nac-list-mode commands Specifies the MAC addresses excluded from the NAC enforcement list Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

Parameters exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

<START-MAC>

<END-MAC>

precedence

<1-1000>

Specifies a range of MAC addresses or a single MAC address to exclude from the NAC enforcement list

<START-MAC> Specify the first MAC address in the range. Use this parameter to specify a single MAC address. Specifies the last MAC address in the range (optional if a single MAC is added to the list)

<END-MAC> Specify the last MAC address in the range. Sets the rule precedence. Exclude entries are checked in the order of their rule precedence.

<1-1000> Specify a value from 1 - 1000. Example rfs6000-81742D(config-nac-list-test)#exclude 00-40-96-B0-BA-2A precedence 1 rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-40-96-B0-BA-2A 00-40-96-B0-BA-2A precedence 1 rfs6000-81742D(config-nac-list-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 332 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.2 include nac-list-mode commands Specifies the MAC addresses included in the NAC enforcement list Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

Parameters include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]

<START-MAC>

<END-MAC>

precedence

<1-1000>

Specifies a range of MAC addresses or a single MAC address to include in the NAC enforcement list

<START-MAC> Specify the first MAC address in the range. Use this parameter to specify a single MAC address. Specifies the last MAC address in the range (optional if a single MAC is added to the list)

<END-MAC> Specify the last MAC address in the range. Sets the rule precedence. Include entries are checked in the order of their rule precedence.

<1-1000> Specify a value from 1 - 1000. Example rfs6000-81742D(config-nac-list-test)#include 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 333 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.3 no nac-list-mode commands Cancels an exclude or include NAC list rule Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [exclude|include]

no [exclude|include] <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-

1000>]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this NAC lists settings based on the parameters passed Example The following example shows the NAC list test settings before the no command is executed:

rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#

rfs6000-81742D(config-nac-list-test)#no exclude 00-40-96-B0-BA-2A precedence 1 The following example shows the NAC list test settings after the no command is executed:

rfs6000-81742D(config-nac-list-test)#show context nac-list test include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#

Related Commands exclude include Specifies MAC addresses excluded from the NAC enforcement list Specifies MAC addresses included in the NAC enforcement list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 334 GLOBAL CONFIGURATION COMMANDS 4.1.68 no Global Configuration Commands Negates a command, or reverts configured settings to their default Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [aaa-policy|aaa-tacacs-policy|alias|ap6521|ap6522|ap6532|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|

ap8432|ap8533|nx5500|nx75xx|nx9000|nx9600|application|application-group|

application-policy|association-acl-policy|auto-provisioning-policy|bgp|bonjour-

gw-discovery-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-

policy|captive-portal|client-identity|client-identity-group|crypto-cmp-policy|

customize|database-policy|device|device-categorization|dhcp-server-policy|

dhcpv6-server-policy|dns-whitelist|event-system-policy|ex3500|

ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|

ex3524|ex3548|firewall-policy|global-association-list|guest-management|

igmp-snoop-policy|inline-password-encryption|ip|ipv6|ipv6-router-advertisement-

policy|l2tpv3|mac|management-policy|meshpoint|meshpoint-qos-policy|nac-list|

nsight-policy|passpoint-policy|password-encryption|profile|radio-qos-policy|

radius-group|radius-server-policy|radius-user-pool-policy|rf-domain|rfs4000|

rfs6000|roaming-assist-policy|role-policy|route-map|routing-policy|

rtl-server-policy|schedule-policy|t5|sensor-policy|smart-rf-policy|url-filter|

url-list|vx9000|web-filter-policy|wips-policy|wlan|wlan-qos-policy|service]

no alias [address-range <ADDRESS-RANGE-ALIAS-NAME>|host <HOST-ALIAS-NAME>|network

<NETWORK-ALIAS-NAME>|network-group <NETWORK-GROUP-ALIAS-NAME> [address-

range|host|network]|network-service <NETWORK-SERVICE-ALIAS-NAME>|number <NUMBER-

ALIAS-NAME>|string <STRING-ALIAS-NAME>|vlan <VLAN-ALIAS-NAME>]

no [aaa-policy|aaa-tacacs-policy|application-policy|auto-provisioning-policy|

auto-provisioning-policy|bonjour-gw-discovery-policy|bonjour-gw-forwarding-

policy|bonjour-gw-query-forwarding-policy|database-policy|captive-portal|

crypto-cmp-policy|device-categorization|dhcp-server-policy|dhcpv6-server-policy|

dns-whitelist|event-system-policy|ex3500|ex3500-management-policy|ex3500-qos-

class-map-policy|ex3500-qos-policy|firewall-policy|global-association-list|

guest-management|igmp-snoop-policy|inline-password-encryption|ip|ipv6|

ipv6-router-advertisement-policy|l2tpv3|mac|management-policy|meshpoint|

meshpoint-qos-policy|nac-list|nsight-policy|passpoint-policy|radio-qos-policy|

radius-group|radius-server-policy|radius-user-pool-policy|roaming-assist-policy|

role-policy|routing-policy|rtl-server-policy|schedule-policy|sensor-policy|

smart-rf-policy|web-filter-policy|wips-policy|wlan-qos-policy] <POLICY-NAME>

no application <APPLICATION-NAME>

no application-group <APPLICATION-GROUP-NAME>

no [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|

ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|

rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000] <MAC>

no client-identity <CLIENT-IDENTITY-NAME>

no client-identity-group <CLIENT-IDENTITY-GROUP-NAME>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 335 GLOBAL CONFIGURATION COMMANDS no device {containing <WORD>} {(filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|

rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000])}

no customize [hostname-column-width|show-wireless-client|show-wireless-client-

stats|show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-

meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf|show-

wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf]

no password-encryption secret 2 <OLD-PASSPHRASE>

no profile {ap6521|ap6522|ap6532|ap71xx|ap7502|ap7522|ap7532|ap7562|ap81xx|

ap82xx|ap8432|ap8533|ex3524|ex3548|containing|filter|rfs4000|rfs6000|nx5500|

nx75xx|nx9000|nx9600|t5|vx9000} <PROFILE-NAME>

no wlan [<WLAN-NAME>|all|containing <WLAN-NAME-SUBSTRING>]

no service set [command-history|reboot-history|upgrade-history] {on <DEVICE-NAME>}

The following no commands are specific to the RFS4000, RFS6000, and NX95XX platforms:

no t5 <T5-DEVICE-MAC>

The following no commands are specific to the RFS4000, RFS6000, and NX95XX platforms:

no bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-

list] <LIST-NAME>

The following no commands are specific to the NX95XX series service platforms:

no route-map <ROUTE-MAP-NAME>

The following no commands are specific to the AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP8132, RFS4000, RFS6000 platforms:

no url-filter <URL-FILTER-NAME>

no url-list <URL-LIST-NAME>

no web-filter-name <WEB-FILTER-NAME>

The following no command is specific to the VX9000 virtual machine platform:

no database-client-policy <POLICY-NAME>

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets settings, configurable in the global configuration mode, based on the parameters passed Example

<DEVICE>(config)#no ?

aaa-policy Delete a aaa policy aaa-tacacs-policy Delete a aaa tacacs policy alias Alias ap650 Delete an AP650 access point ap6511 Delete an AP6511 access point ap6521 Delete an AP6521 access point ap6522 Delete an AP6522 access point ap6532 Delete an AP6532 access point ap6562 Delete an AP6562 access point ap71xx Delete an AP7161 access point ap7502 Delete an AP7502 access point ap7522 Delete an AP7522 access point ap7532 Delete an AP7532 access point ap7562 Delete an AP7562 access point ap7602 Delete an AP7602 access point ap7612 Delete an AP7612 access point ap7622 Delete an AP7622 access point ap7632 Delete an AP7632 access point ap7662 Delete an AP7662 access point ap81xx Delete an AP81XX access point Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 336 GLOBAL CONFIGURATION COMMANDS ap82xx Delete an AP82XX access point ap8432 Delete an AP8432 access point ap8533 Delete an AP8533 access point application Delete an application application-group Delete an application-group application-policy Delete an application policy association-acl-policy Delete an association-acl policy auto-provisioning-policy Delete an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding policy bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding policy captive-portal Delete a captive portal client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) crypto-cmp-policy CMP policy customize Restore the custom cli commands to default database-client-policy Configure database policy database-policy Configure database policy device Delete multiple devices device-categorization Delete device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Delete a whitelist object event-system-policy Delete a event system policy ex3500 EX3500 device ex3500-management-policy Delete a ex3500 management policy ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy ex3500-qos-policy-map Delete a ex3500 qos policy-map ex3524 Delete an EX3524 wireless controller ex3548 Delete an EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Delete a global association list guest-management Delete a guest management policy igmp-snoop-policy Remove device onboard igmp snoop policy inline-password-encryption Disable storing encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 Negate a command or set its defaults mac MAC configuration management-policy Delete a management policy meshpoint Delete a meshpoint object meshpoint-qos-policy Delete a mesh point QoS configuration policy nac-list Delete an network access control list nsight-policy Delete a nsight policy nx5500 Delete an NX5500 wireless controller nx75xx Delete an NX75XX wireless controller nx9000 Delete an NX9000 wireless controller passpoint-policy Delete a passpoint configuration policy password-encryption Disable password encryption in configuration profile Delete a profile and all its associated configuration radio-qos-policy Delete a radio QoS configuration policy radius-group Local radius server group configuration radius-server-policy Remove device onboard radius policy radius-user-pool-policy Configure Radius User Pool rf-domain Delete one or more RF-domains and all their associated configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 337 GLOBAL CONFIGURATION COMMANDS rfs4000 Delete an RFS4000 wireless controller rfs6000 Delete an RFS6000 wireless controller roaming-assist-policy Delete a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuration rtl-server-policy Delete a rtl server policy schedule-policy Delete a schedule policy sensor-policy Delete a sensor policy smart-rf-policy Delete a smart-rf-policy t5 Delete an T5 wireless controller url-filter Delete a url filter url-list Delete a URL list vx9000 Delete an VX9000 wireless controller web-filter-policy Delete a web filter policy wips-policy Delete a wips policy wlan Delete a wlan object wlan-qos-policy Delete a wireless lan QoS configuration policy service Service Commands

<DEVICE>(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 338 GLOBAL CONFIGURATION COMMANDS 4.1.69 nsight-policy Global Configuration Commands The following table lists NSight policy configuration mode commands:

Table 4.41 NSight-Policy Config Command Command nsight-policy nsight-policy commands Description Creates an NSight policy and enters its configuration mode Summarizes NSight policy configuration mode commands Reference page 4-340 page 4-342 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 339 GLOBAL CONFIGURATION COMMANDS 4.1.69.1 nsight-policy nsight-policy Creates an NSight policy and enters its configuration mode The NSight policy is an advance management, analytics, reporting, and troubleshooting tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database. This large, complex data is collated and presented on an NSight Dashboard that can be launched from the NSight-enabled NOC. For large networks, enabling NSight removes the inadequacies of the existing data collection, presentation, and analytics framework. It simplifies network monitoring, troubleshooting, and reporting. NOTE: NSight is a licensed feature, and can be enabled only on the application of an NSight license in the NSight servers self mode. The NSight features include:

Network statistic and event visualization - Simplified and unified network views based on defined user roles Custom dashboards - Live network health information in real-time to optimally assist network administrators Live troubleshooting tools - Packet capture, wireless debug logs, TCP/IP ping and traceroute Interactive floor maps with timeline views - Visualize and identify potential issues and problems areas Real-time trend analysis - Simplify network growth planning Exceptionally responsive interface - Any information the admin needs is three, or less, clicks away The WiNG NSight implementation consists of the following components:

An NSight server A database. This database consists of AP statistics gathered by RF Domain managers. An NSight UI portal An NSight client hosted on the RF Domain manager, which periodically gathers statistics from APs and forwards to the NSight server. Event history Event details for all APs adopted by the NOC. These are events received by the Cfgd every 30 seconds and sent to the MART server. Each event consists of the RF Domain name, wireless client MAC if applicable, AP MAC, event mnemonic, event timestamp, and the event string itself. Supported in the following platforms:

Service Platforms NX7500, NX9500, NX9510, NX9600, VX9000 Syntax nsight-policy <NSIGHT-POLICY-NAME>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 340 GLOBAL CONFIGURATION COMMANDS Parameters nsight-policy <NSIGHT-POLICY-NAME>

<NSIGHT-POLICY-

NAME>

Specify the NSight policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#nsight-policy test nx9500-6C8809(config-nsight-policy-test)#?

Nsight Policy Mode commands:

enable Enable this Nsight policy event-history-size Size of the event history collection history-ttl Time to live for historical data no Negate a command or set its defaults nsight-server Enable Nsight server functionality server Configure Nsight server clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-nsight-policy-test)#

Related Commands no Removes an existing NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 341 GLOBAL CONFIGURATION COMMANDS 4.1.69.2 nsight-policy commands nsight-policy The following table summarizes NSight policy configuration mode commands:

Table 4.42 NSight-Policy-Config Mode Commands Command enable event-history-

size history-ttl nsight-server server no Description Enables this NSight policy Converts and sizes the NSight event history collection to a capped collection Configures the time-to-live (TTL), in days, for historical data related to clients and devices Enables NSight server functionality and configures the SMTP report delivery settings Configures the NSight server host. This configuration is used by the NSight client to identify the NSight server host. Removes this NSight policy settings Reference page 4-343 page 4-344 page 4-345 page 4-346 page 4-348 page 4-349 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 342 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.1 enable nsight-policy commands Enables this NSight policy. The default setting is enabled. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example nx9510-6C8A5C(config-nsight-policy-test2)#enable Related Commands no Disables this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 343 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.2 event-history-size nsight-policy commands Converts and sizes the NSight event history collection to a capped collection. The conversion occurs when upgrading. Use this command to define the NSight event history collections size and prevent its unbounded growth. Note, resizing the collection results in the collection contents being dropped. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax event-history-size [high|low|medium]

Parameters event-history-size [high|low|medium]

event-history-size

[high|low|medium]

Defines the size of the NSight event history collection. The options are:

high Sets the size at approximately 10 M events low Sets the size at approximately 500 K events. This is the default setting. medium Sets the size at approximately 5 M events Example nx9500-6C8809(config-nsight-policy-test)#event-history-size medium nx9500-6C8809(config-nsight-policy-test)#show context nsight-policy test event-history-size medium nx9500-6C8809(config-nsight-policy-test)#

Related Commands no Reverts the NSight event history collection size to default (5 M) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 344 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.3 history-ttl nsight-policy commands Configures the time-to-live (TTL), in days, for historical data related to clients, devices, and guest users. This is the duration for which clients, devices, or guest user related data is retained in the NSight database. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax history-ttl [clients|devices|guest-clients]

history-ttl [clients|devices] <1-3650>

history-ttl guest-clients <8-48>

Parameters history-ttl [clients|devices] <1-3650>

history-ttl

[client|devices]

<1-3650>

Configures the TTL for historical data related to clients and devices clients Configures the TTL for wireless clients related historical data devices Configures the TTL for devices (adopted access points or site controllers) related historical data The following is common to both the clients and devices keywords:

<1-3650> Specify a value from 1 - 3650 days. The default for both (clients and de-

vices) is 180 days. history-ttl guest-clients <8-48>

history-ttl guest-clients

<8-48>

Configures the TTL for historical data related to clients and devices guest-clients Configures the TTL for guest-client related historical data

<8-48> Specify a value from 8 - 48 hours. The default is 8 hours. Example nx9500-6C8809(config-nsight-policy-test)#history-ttl clients 250 nx9500-6C8809(config-nsight-policy-test)#show context nsight-policy test history-ttl clients 250 nx9500-6C8809(config-nsight-policy-test)#

Related Commands no Reverts the NSight clients or devices TTL duration to default (180 days) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 345 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.4 nsight-server nsight-policy commands Enables NSight server functionality and configures the SMTP report delivery settings. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax nsight-server {smtp-report-delivery|standalone}

nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-

65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}

nsight-server {standalone}

Parameters nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-

65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}

nsight-server smtp-report-delivery host <WORD>

Enables NSight server functionality on the host using this NSight policy Optional. Configures SMTP report delivery settings host <WORD> Configures the SMTP server host

<WORD> Specify the SMTP server hosts IP address or hostname. sender

<EMAIL-ADD>

port <1-65535>

security

[none|ssl|starttls]

username

<USER-NAME>

password

[0|2|<WORD>]

Optional. Configures the SMTP senders e-mail address

<EMAIL-ADD> Specify the senders e-mail address. Optional. Configures the SMTP server port

<1-65535> Specify the port from 1 - 65535. Optional. Configures the encryption protocol used by the SMTP server. The options are:

none Uses no encryption ssl Uses SSL encryption starttls Uses STARTTLS encryption Optional. Configures the SMTP username

<USER-NAME> Specify the user name password [0|2|<WORD>] Configures the password associated with the above con-

figured user 0 Configures a clear text password 2 Configures an encrypted password

<WORD> Enter the password. nsight-server {standalone}

nsight-server standalone Enables NSight server functionality on the host using this NSight policy Optional. Configures NSight server as standalone. Use this option in the split NSight deployment scenario where the NSight server and database are hosted on separate hosts. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 346 GLOBAL CONFIGURATION COMMANDS Example nx9510-6C8A5C(config-nsight-policy-test2)#nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#

Related Commands no Disables NSight server functionality on this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 347 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.5 server nsight-policy commands Configures the NSight server host. This configuration is used by the NSight client to identify the NSight server host. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}

Parameters server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}

server host [<IP>|

<HOSTNAME>|

<X:X::X:X>]

{http|https}

Configures the NSight server hosts address. Use one of the following options to identify the NSight server host:

<IP> Configures the NSight servers IPv4 address

<HOSTNAME> Configures the NSight servers hostname

<X:X::X:X> Configures the NSight servers IPv6 address Optional. Configures the protocol used to communicate with the NSight server http Optional. Uses HTTP to communicate https Optional. Uses HTTPS to communicate (this is the default setting) Example nx9510-6C8A5C(config-nsight-policy-test2)#server host 172.22.0.153 http nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 server host 172.22.0.153 http nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#

Related Commands no Removes NSight server host settings from this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 348 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.6 no nsight-policy commands Removes NSight policy settings Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax no [enable|event-history-size|history-ttl [clients|devices|guest-clients]|

nsight-server {smtp-report-delivery}|server host [<IP>|<HOSTNAME>|<X:X::X:X>]]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes NSight policy settings based on the parameters passed Example The following example shows the NSight policy test2 settings before the no command is executed:

nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 server host 172.22.0.153 http nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#

nx9510-6C8A5C(config-nsight-policy-test2)#no server host 172.22.0.153 The following example shows the NSight policy test2 settings after the no command is executed:

nx9500-6C8809(config-nsight-policy-test2)#show context nsight-policy test2 nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 349 GLOBAL CONFIGURATION COMMANDS 4.1.70 passpoint-policy Global Configuration Commands Creates a new passpoint policy and enters its configuration mode The passpoint policy implements the Hotspot 2.0 Wi-Fi Alliance standard, enabling interoperability between clients, infrastructure, and operators. It makes a portion of the IEEE 802.11u standard mandatory and adds Hotspot 2.0 extensions that allow clients to query a network before actually attempting to join it. The passpoint policy allows a single or set of Hotspot 2.0 configurations to be global and referenced by the devices that use it. It is mapped to a WLAN. However, only primary WLANs on a BSSID will have their passpoint policy configuration used. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax passpoint-policy <POLICY-NAME>

Parameters passpoint-policy <POLICY-NAME>

passpoint-policy

<POLICY-NAME>

Specify the passpoint policy name. If a passpoint policy does not exist, it is created. Example rfs4000-229D58(config)#passpoint-policy test rfs4000-229D58(config-passpoint-policy-test)#?

Passpoint Policy Mode commands:

3gpp Configure a 3gpp plmn (public land mobile network) id access-network-type Set the access network type for the passpoint connection-capability Configure the connection capability for the passpoint domain-name Add a domain-name for the passpoint hessid Set a homogeneous ESSID value for the passpoint internet Advertise the passopint having internet access ip-address-type Configure the advertised ip-address-type nai-realm Configure a NAI realm for the passpoint net-auth-type Add a network authentication type to the passpoint no Negate a command or set its defaults operator Add configuration related to the operator of the passpoint osu Online signup roam-consortium Add a roam consortium for the passpoint venue Set the venue parameters of the passpoint wan-metrics Set the wan-metrics of the passpoint clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 350 GLOBAL CONFIGURATION COMMANDS write Write running configuration to memory or terminal rfs4000-229D58(config-passpoint-policy-test)#

Related Commands no Removes an existing passpoint policy NOTE: For more information on passpoint policy, see Chapter 27, PASSPOINT POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 351 GLOBAL CONFIGURATION COMMANDS 4.1.71 password-encryption Global Configuration Commands Enables password encryption and configures the passphrase used to encrypt passwords. When enabled, passwords configured within the system are not displayed as clear text. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax password-encryption secret 2 <LINE>

Parameters password-encryption secret 2 <LINE>

secret 2 <LINE>

Encrypts passwords with a secret phrase 2 Specifies the encryption type as either SHA256 or AES256

<LINE> Specify the encryption passphrase. Example nx9500-6C8809(config)#password-encryption secret 2 test@123 To confirm if password encryption is enabled, execute the following command:

nx9500-6C8809(config)#show password-encryption status Password encryption is enabled nx9500-6C8809(config)#

The following example shows the privilege-mode-password as encrypted text. Note, the digit 1 preceding the password implies that displayed text is the encrypted password and not clear text. nx9500-6C8809(config-management-policy-test)#show context include-factory |

include privilege-mode-password privilege-mode-password 1 bc28e4d82bb11fa75a3c56346441d48f50f19c47184e2575a59a6a5d18e63925 nx9500-6C8809(config-management-policy-test)#

Related Commands no Disables password encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 352 GLOBAL CONFIGURATION COMMANDS 4.1.72 profile Global Configuration Commands Configures profile related commands. If no parameters are given, all profiles are selected. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|containing|filter

|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000}

profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>

profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|

ap6562|ap71xx|ap7502|ap7522|ap7532|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|

ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|vx9000]}

profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}

Parameters profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|

ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|

nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>

profile

<DEVICE-TYPE>

<DEVICE-PROFILE-

NAME>

Configures device profile commands. If no device profile is specified, the system configures all device profiles.

<DEVICE-TYPE> Optional. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, specify the profile name.

<DEVICE-PROFILE-NAME> Specify the profile name. Select anyap to configure a profile applicable to any access point. The NX9600 profile option is only available on an NX9600 device. profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|

ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|

ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}

profile containing

<DEVICE-PROFILE-

NAME>

Configures device profile commands Optional. Configures profiles that contain a specified sub-string in the hostname

<DEVICE-PROFILE-NAME> Specify a substring in the profile name to filter profiles. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 353 GLOBAL CONFIGURATION COMMANDS filter type Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles. type Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The NX9600 profile option is only available on an NX9600 device. profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}

profile filter type Configures device profile commands Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles. type Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The NX9600 profile option is only available on an NX9600 device. Example

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#?

Profile Mode commands:

adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration alias Alias application-policy Application Policy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bluetooth-detection Detect Bluetooth devices using the Bluetooth USB module - there will be interference on 2.4 Ghz radio in wlan mode bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) controller WLAN controller configuration critical-resource Critical Resource crypto Encryption related commands database Database command device-onboard Device-onboarding configuration device-upgrade Device firmware upgrade diag Diagnosis of packets dot1x 802.1X dpi Enable Deep-Packet-Inspection

(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 354 GLOBAL CONFIGURATION COMMANDS frames eguest-server Enable EGuest Server functionality email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located gre GRE protocol http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X management-server Configure management server address memory-profile Memory profile to be used on the device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Check controller connectivity after configuration is received mint MiNT protocol misconfiguration-recovery-time Check controller connectivity after configuration is received neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event otls Omnitrail Location Server power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remove-override Remove configuration item override from the device (so profile value Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 355 GLOBAL CONFIGURATION COMMANDS takes effect) rf-domain-manager RF Domain Manager router Dynamic routing slot PCI expansion Slot spanning-tree Spanning tree traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal

<DEVICE>(config-profile-<PROFILE-NAME>)#

Related Commands no Removes a profile and its associated configurations NOTE: For more information on profiles and how to configure profiles, see Chapter 7, PROFILES. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 356 GLOBAL CONFIGURATION COMMANDS 4.1.73 radio-qos-policy Global Configuration Commands Configures a radio quality-of-service (QoS) policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radio-qos-policy <RADIO-QOS-POLICY-NAME>

Parameters radio-qos-policy <RADIO-QOS-POLICY-NAME>

<RADIO-QOS-POLICY-

NAME>

Specify the radio QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radio-qos-policy test rfs6000-81742D(config-radio-qos-test)#?

Radio QoS Mode commands:

accelerated-multicast Configure multicast streams for acceleration admission-control Configure admission-control on this radio for one or more access categories no Negate a command or set its defaults smart-aggregation Configure smart aggregation parameters wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radio-qos-test)#

Related Commands no Removes an existing Radio QoS policy NOTE: For more information on radio qos policy, see Chapter 17, RADIO-

QOS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 357 GLOBAL CONFIGURATION COMMANDS 4.1.74 radius-group Global Configuration Commands Configures RADIUS user group parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-group <RADIUS-GROUP-NAME>

Parameters radius-group <RADIUS-GROUP-NAME>

<RADIUS-GROUP-

NAME>

Specify a RADIUS user group name. The name should not exceed 64 characters. If the RADIUS user group does not exist, it is created. Example rfs6000-81742D(config)#radius-group testgroup rfs6000-81742D(config-radius-group-testgroup)#?

Radius user group configuration commands:

guest Make this group a Guest group no Negate a command or set its defaults policy Radius group access policy configuration rate-limit Set rate limit for group clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-group-testgroup)#

Related Commands no Removes an existing RADIUS group NOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 358 GLOBAL CONFIGURATION COMMANDS 4.1.75 radius-server-policy Global Configuration Commands Creates an onboard device RADIUS policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-server-policy <RADIUS-SERVER-POLICY-NAME>

Parameters radius-server-policy <RADIUS-SERVER-POLICY-NAME>

<RADIUS-SERVER-

POLICY-NAME>

Specify the RADIUS server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radius-server-policy testpolicy rfs6000-81742D(config-radius-server-policy-testpolicy)#?

Radius Configuration commands:

authentication Radius authentication bypass Bypass Certificate Revocation List( CRL ) check chase-referral Enable chasing referrals from LDAP server crl-check Enable Certificate Revocation List( CRL ) check ldap-agent LDAP Agent configuration parameters ldap-group-verification Enable LDAP Group Verification setting ldap-server LDAP server parameters local RADIUS local realm nas RADIUS client no Negate a command or set its defaults proxy RADIUS proxy server session-resumption Enable session resumption/fast reauthentication by using cached attributes termination Enable Eap termination for proxy requests use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-server-policy-testpolicy)#

Related Commands no Removes an existing RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 359 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on RADIUS server policy commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 360 GLOBAL CONFIGURATION COMMANDS 4.1.76 radius-user-pool-policy Global Configuration Commands Configures a RADIUS user pool Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>

Parameters radius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>

<RADIUS-USER-

POOL-POLICY-NAME>

Specify the RADIUS user pool policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radius-user-pool-policy testpool rfs6000-81742D(config-radius-user-pool-testpool)#?

Radius User Pool Mode commands:

duration Set a guest user's access duration no Negate a command or set its defaults user Radius user configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-user-pool-testpool)#

Related Commands no Removes an existing RADIUS user pool NOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 361 GLOBAL CONFIGURATION COMMANDS 4.1.77 rename Global Configuration Commands Renames and existing TLO Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rename tlo <TLO-NAME>

Parameters rename tlo <TLO-NAME> <NEW-TLO-NAME>

Renames an existing TLO object

<TLO-NAME> Specify the TLOs name. This is the TLO that is to be renamed. rename tlo

<TLO-NAME>

<NEW-TLO-NAME>

<NEW-TLO-NAME> Specify the new name for this TLO Example The following example shows the top level objects available for renaming:

Enter rename and press Tab to list top level objects available for renaming. nx9500-6C8809(config)#rename aaa_policy aaa_tacacs_policy address_range_alias aif_policy ap300 app_group app_policy application assoc_acl auto_provisioning_policy bgp_as_path_list bgp_community_list bgp_extcommunity_list bgp_ip_access_list bgp_ip_prefix_list bonjour_gw_discovery_policy bonjour_gw_forwarding_policy bonjour_gw_query_forwarding_policy bridging_policy captive_portal centro_policy client_identity client_identity_group content_cache_policy content_filter_policy crypto_cmp_policy database_client_policy database_policy device_categorization dhcp_server_policy dhcpv6_server_policy dns_whitelist dr_route_map encrypted_string_alias event_system_policy ex3500_ext_ip_acl ex3500_management_policy ex3500_qos_class_map_policy ex3500_qos_policy_map ex3500_std_ip_acl ex3500_time_range firewall_policy global_assoc_list guest_management hashed_string_alias host_alias ip_acl ip_snmp_acl ipv6_acl ipv6_radv_policy l2tpv3_policy mac_acl management_policy meshpoint meshpoint_qos mint_policy mint_security_policy nac_list

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 362 GLOBAL CONFIGURATION COMMANDS The following examples first clones the existing IP access list BROADCAST-MULTICAST-CONTROL, and then renames the cloned IP access list:

nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL nx9500-6C8809(config)#

nx9500-6C8809(config)#clone ip_acl BROADCAST-MULTICAST-CONTROL Test_IP_CLONED nx9500-6C8809(config)#commit nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL ip access-list Test_IP_CLONED nx9500-6C8809(config)#

rfs4000-229D58(config)#rename ip_acl TestIP_CLONED TestIP_RENAMED rfs4000-229D58(config)#commit nx9500-6C8809(config)#rename ip_acl Test_IP_CLONED Test_IP_RENAMED nx9500-6C8809(config)#

nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL ip access-list Test_IP_RENAMED nx9500-6C8809(config)#

Related Commands clone Creates a replica of an existing TLO or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 363 GLOBAL CONFIGURATION COMMANDS 4.1.78 replace Global Configuration Commands Selects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC address. Internally, a new device is created with the new MAC address. The old devices configuration is copied to the new device, and then removed from the controllers configuration (i.e., the old devices configuration is no longer staged on the controller). Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>

Parameters replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>

replace device

[<MAC-ADDRESS>|

<HOSTNAME>]

Replaces an existing device with a new device, such that the old devices configuration is copied on to the new device Identifies the device to replace by its MAC address or hostname

<MAC-ADDRESS> Identifies the device to replace by its MAC address. Specify the devices existing MAC address.

<HOSTNAME> Identifies the device to replace by its hostname. Specify the devices hostname.

<NEW-MAC-

ADDRESS>

Specifies the new devices MAC address Both the new and old devices should of the same model type. Example rfs4000-882A17(config)#replace device ap7131-4BF364 ?

AA-BB-CC-DD-EE-FF New device MAC address rfs4000-882A17(config)#replace device ap7131-4BF364 00-15-0F-BB-98-30 The following example shows an existing AP7502 (MAC: DD-AA-BB-88-12-43) configuration staged on a VX9000 controller:

VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#show context ap7502 DD-AA-BB-88-12-43 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1 wlan theMOZART bss 1 primary interface radio2 wlan theMOZART bss 1 primary interface ge1 switchport mode access switchport access vlan 1 controller host 12.12.12.2 VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 364 GLOBAL CONFIGURATION COMMANDS The following example shows AP7502 (MAC: DD-AA-BB-88-12-43) replaced by another AP7502 having MAC address 11-22-33-44-55-66:

Note that the new AP7502 device has the same configuration as the old AP7502 device. The HOSTNAME remains the same. Consequently, objects that refer to this particular hostname need not be updated. For example, an hostname alias identifying this particular device, and TLOs using this alias, such as IP/MAC ACLs, remain unchanged. VX9000-NOC-DE9D(config)#replace device DD-AA-BB-88-12-43 11-22-33-44-55-66 VX9000-NOC-DE9D(config)#ap7502 11-22-33-44-55-66 VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#show context ap7502 11-22-33-44-55-66 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1 wlan theMOZART bss 1 primary interface radio2 wlan theMOZART bss 1 primary interface ge1 switchport mode access switchport access vlan 1 controller host 12.12.12.2 VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 365 GLOBAL CONFIGURATION COMMANDS 4.1.79 rf-domain Global Configuration Commands An RF Domain groups devices that can logically belong to one network. The following table lists the RF Domain configuration mode commands:

Table 4.43 RF-Domain Config Commands Command rf-domain rf-domain-mode commands Description Creates a RF Domain policy and enters its configuration mode Invokes RF Domain configuration mode commands Reference page 4-367 page 4-369 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 366 GLOBAL CONFIGURATION COMMANDS 4.1.79.1 rf-domain rf-domain Creates an RF Domain or enters the RF Domain configuration context for one or more RF Domains. If the RF Domain does not exist, it is created. The configuration of controllers (wireless controllers, service platforms, and access points) comprises of RF Domains that define regulatory, location, and other relevant policies. At least one default RF Domain is assigned to each controller. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building, or site. Each RF Domain contains policies that set the Smart RF or WIPS configuration. RF Domains also enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of access points servicing the global WLAN. This WLAN override eliminates the need to define and manage a large number of individual WLANs and profiles. A controllers configuration contains:

A default RF Domain - Each controller utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered by the controller. A default RF Domain can be used for single-site and multi-site deployments. Single-site deployment The default RF Domain can be used for single site deployments, where regional, regulatory, and RF policies are common between devices. Multi-site deployment A default RF Domain can omit configuration parameters to prohibit regulatory configuration from automatically being inherited by devices as they are discovered. This is desirable in multi-site deployments with devices spanning multiple countries. Omitting specific configuration parameters eliminates the risk of an incorrect country code from being automatically assigned to a device. A user-defined RF Domain - Created by administrators. A user-defined RF Domain can be assigned to multiple devices manually or automatically. Manually assigned Use the CLI or UI to manually assign a user-defined RF Domain to controllers and service platforms. Automatically assigned Use a AP provisioning policy to automatically assign specific RF Domains to access points based on the access points model, serial number, VLAN, DHCP option, and IP address or MAC address. Automatic RF Domain assignments are useful in large deployments, as they enable plug-n-play access point deployments by automatically applying RF Domains to remote access points. For more information on auto provisioning policy, see AUTO-PROVISIONING-

POLICY. Configure and deploy user-defined RF Domains for single or multiple sites where devices require unique regulatory and regional configurations, or unique Smart RF and WIPS policies. User-defined RF Domains can be used to:

Assign unique Smart RF or WIPS policies to access points deployed on different floors or buildings within in a site. Assign unique regional or regulatory configurations to devices deployed in different states or countries. Assign unique WLAN SSIDs and/or VLAN IDs to sites assigned a common WLAN without having to define individual WLANs for each site. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 367 GLOBAL CONFIGURATION COMMANDS Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}

Parameters rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}

rf-domain

<RF-DOMAIN-

NAME>

containing

<RF-DOMAIN-

NAME>

Creates a new RF Domain or enters its configuration context Optional. Specify the RF Domain name (should not exceed 32 characters and should represent the intended purpose). Once created, the name cannot be edited. Optional. Identifies an existing RF Domain that contains a specified sub-string in the domain name

<RF-DOMAIN-NAME> Specify a sub-string of the RF Domain name. Example rfs6000-81742D(config)#rf-domain rfs6000 rfs6000-81742D(config-rf-domain-rfs6000)#?

RF Domain Mode commands:

alias Alias channel-list Configure channel list to be advertised to wireless clients contact Configure the contact control-vlan VLAN for control traffic on this RF Domain controller-managed RF Domain manager for this domain will be an adopting controller country-code Configure the country of operation geo-coordinates Configure geo coordinates for this device layout Configure layout location Configure the location location-server LSENSE server configuration mac-name Configure MAC address to name mappings no Negate a command or set its defaults nsight-sensor Enable sensor for Nsight override-smartrf Configured RF Domain level overrides for smart-rf override-wlan Configure RF Domain level overrides for wlan sensor-server AirDefense sensor server configuration stats Configure the stats related setting timezone Configure the timezone tree-node Configure tree node under which this rf-domain appears use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-rf-domain-rfs6000)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 368 GLOBAL CONFIGURATION COMMANDS 4.1.79.2 rf-domain-mode commands rf-domain This section describes the default commands under RF Domain. The following table summarizes RF Domain configuration commands:

Table 4.44 RF-Domain-Mode Commands Command alias channel-list contact control-vlan controller-

managed country-code geo-coordinates layout location location-server Description Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the RF Domain level Configures the channel list advertised by radios Configures network administrators contact information (needed in case of any problems impacting the RF Domain) Configures VLAN for traffic control on a RF Domain Configures the adopting controller or service platform as this RF Domains manager Configures the country of operation Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a map Configures layout information Configures the physical location of a RF Domain Configures an LSENSE server on the selected RF Domain. This command is supported only on the NX95XX series service platforms. Maps MAC addresses to names Negates a command or reverts configured settings to their default mac-name no override-smart-rf Configures RF Domain level overrides for Smart RF override-wlan Configures RF Domain level overrides for a WLAN sensor-server Configures an AirDefense sensor server on this RF Domain stats Configures stats related settings on this RF Domain. These settings define how RF Domain statistics are updated. Configures a RF Domains geographic time zone Configures the hierarchical (tree-node) structure under which this RF Domain appears Enables the use of a specified Smart RF and/or WIPS policy timezone tree-node use Reference page 4-370 page 4-377 page 4-378 page 4-379 page 4-380 page 4-381 page 4-382 page 4-383 page 4-385 page 4-386 page 4-387 page 4-388 page 4-390 page 4-391 page 4-394 page 4-396 page 4-397 page 4-399 page 4-401 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 369 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.1 alias rf-domain-mode commands Configures network, VLAN, host, string, network-service, etc. aliases at the RF Domain level For information on aliases, see alias. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|

network-service|number|string|vlan]

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

alias hashed-string <HASHED-STRING-ALIAS-NAME> 1 <LINE>

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

alias host <HOST-ALIAS-NAME> <HOST-IP>

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|

network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|

tftp|www)}

alias string <STRING-ALIAS-NAME> <LINE>

alias vlan <VLAN-ALIAS-NAME> <1-4094>

Parameters address-range

<ADDRESS-RANGE-

ALIAS-NAME>

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

Creates a new address-range alias for this RF Domain. Or associates an existing address-range alias with this RF Domain. An address-range alias maps a name to a range of IP addresses.

<ADDRESS-RANGE-ALIAS-NAME> Specify the address range alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 370 GLOBAL CONFIGURATION COMMANDS

<STARTING-IP>

to <ENDING-IP>

Associates a range of IP addresses with this address range alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. Aliases defined at any given level can be overridden at the next lower level. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

encrypted-string

<ENCRYPTED-

STRING-ALIAS-

NAME>

[0|2] <LINE>

Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.

<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step

[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:

nx9500-6C8809(config)#show running-config

!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//

!

--More--

nx9500-6C8809 In the above output, the 2 displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text. However, if password-encryption is disabled the clear text is displayed as is:

nx9500-6C8809(config)#show running-config

!...............................

!

alias encrypted-string $enString 0 test11223344

!

--More--

nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string

<HASHED-STRING-

ALIAS-NAME>

Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-

password.

<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 371 GLOBAL CONFIGURATION COMMANDS

<LINE>

Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config

!

alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv

!

alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba05411 2ecfc75

--More--

nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>

host

<HOST-ALIAS-NAME>

<HOST-IP>

Creates a host alias for this RF Domain. Or associates an existing host alias with this RF Domain. A host alias maps a name to a single network host.

<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias

<HOST-IP> Specify the network hosts IP address. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

network

<NETWORK-ALIAS-

NAME>

<NETWORK-

ADDRESS/MASK>

Creates a network alias for this RF Domain. Or associates an existing network alias with this RF Domain. A network alias maps a name to a single network address.

<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Associates a single network with this network alias

<NETWORK-ADDRESS/MASK> Specify the networks address and mask. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|

network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

network-group

<NETWORK-GROUP-

ALIAS-NAME>

Creates a network-group alias for this RF Domain. Or associates an existing network-

group alias with this RF Domain.

<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 372 GLOBAL CONFIGURATION COMMANDS After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Associates a range of IP addresses with this network-group alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.

<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias

<HOST-IP> Specify the hosts IP address.

<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. address-range

<STARTING-IP>

to <ENDING-IP>

{<STARTING-IP>

to <ENDING-IP>}

host <HOST-IP>

{<HOST-IP>}

network <NETWORK-

ADDRESS/MASK>

{<NETWORK-

ADDRESS/MASK>}

Associates a single or multiple networks with this network-group alias

<NETWORK-ADDRESS/MASK> Specify the networks address and mask.

<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|

eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|

https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|

telnet|tftp|www)}

alias network-service

<NETWORK-

SERVICE-ALIAS-

NAME>

proto [<0-254>|

<WORD>|eigrp|gre|

igmp|igp|ospf|vrrp]

Creates a network-service alias for this RF Domain. Or associates an existing network-

service alias with this RF Domain. A network-service alias maps a name to network services and the corresponding source and destination software ports.

<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Use one of the following options to associate an Internet protocol with this network-

service alias:

<0-254> Identifies the protocol by its number. Specify the protocol number from 0

- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.

<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 373 GLOBAL CONFIGURATION COMMANDS

{(<1-65535>|

<WORD>|

bgp|dns|ftp|

ftp-data|gopher|

https|ldap|nntp|ntp|p op3|proto|

sip|smtp|sourceport

[<1-65535>|

<WORD>]|ssh|telnet|

tftp|www)}

After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.

<1-65535> Optional. Configures a destination port number from 1 - 65535

<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port

(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port

(21) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port

(123) POP3 Optional. Configures the default Post Office Protocol (POP3) services port

(110) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port

(5060) smtp Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25) sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.

<1-65535> Specify the source port from 1 - 65535.

<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) www Optional. Configures the default HTTP services port (80) alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number

<NUMBER-ALIAS-

NAME>

<0-4294967295>

Creates a new number alias or applies an existing number, identified by the

<NUMBER-ALIAS-NAME> keyword,

<NUMBER-ALIAS-NAME> Specify the number alias name.

<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 374 GLOBAL CONFIGURATION COMMANDS Number aliases map a name to a numeric value. For example, alias number

$NUMBER 100. The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100. alias string <STRING-ALIAS-NAME> <LINE>

alias string

<STRING-ALIAS-

NAME>

Creates a string alias for this RF Domain. Or associates an existing string alias with this RF Domain. String aliases map a name to an arbitrary string value. For example, alias string $DOMAIN test.example_company.com. In this example, the string alias name is: $DOMAIN and the string value it is mapped to is:

test.example_company.com. In this example, the string alias refers to a domain name.

<STRING-ALIAS-NAME> Specify the string alias name.

<LINE> Specify the string value. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan

<VLAN-ALIAS-NAME>

<1-4094>

Creates a VLAN alias for this RF Domain. Or associates an existing VLAN alias with this RF Domain. A VLAN alias maps a name to a VLAN ID.

<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID

<1-4094> Specify the VLAN ID from 1 - 4094. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Example rfs4000-229D58(config)#show context

!

! Configuration of RFS4000 version 5.9.1.0-008B

!

!

version 2.5

!

!

alias network-group $TestNetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network-group $TestNetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25

!

alias network $TestNetworkAlias 192.168.13.0/24

!

alias host $TestHostAlias 192.168.13.10

!

alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13

!

alias network-service $NetworkServAlias proto udp

!alias network-service $kerberos proto tcp 749 750 80 proto udp 68 sourceport 67

!

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 375 GLOBAL CONFIGURATION COMMANDS alias vlan $TestVLANAlias 1

--More--

rfs4000-229D58(config)#

In the following examples, the global aliases $kerberos and $TestVLANAlias are associated with the RF Domain test and overrides applied:

rfs4000-229D58(config-rf-domain-test)#alias network-service $kerberos proto tcp 749 750 80 rfs4000-229D58(config-rf-domain-test)#alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#show context rf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80 alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#

nx9500-6C8809(config-rf-domain-test)#alias string $test example_company.com nx9500-6C8809(config-rf-domain-test)#show context rf-domain test no country-code alias string $test example_company.com nx9500-6C8809(config-rf-domain-test)#

Example 1:

In the following examples, the network-group alias $test is configured to include hosts 192.168.1.10 and 192.168.1.11, networks 192.168.2.0/24 and 192.168.3.0/24 and address-range 192.168.4.10 to 192.168.4.20. rfs4000-229D58(config)#alias network-group $test host 192.168.1.10 192.168.1.11 rfs4000-229D58(config)#alias network-group $test network 192.168.2.0/24 192.168.3.0/24 rfs4000-229D58(config)#alias network-group $test address-range 192.168.4.10 to 192.168.4.20 Associate this network-group alias $test to the RF Domain test and override the host element of the alias. rfs4000-229D58(config-rf-domain-test)#alias network-group $test host 192.168.10.10 rfs4000-229D58(config-rf-domain-test)#show context rf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80 alias network-group $test host 192.168.10.10 alias network-group $test network 192.168.2.0/24 192.168.3.0/24 alias network-group $test address-range 192.168.4.10 to 192.168.4.20 alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#

In the preceding example, the host element of the network-group alias $test has been overridden. But the network and address-range elements have been retained as is. Related Commands no Removes a network, network-group, network-service, VLAN, or string alias from this RF Domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 376 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.2 channel-list rf-domain-mode commands Configures the channel list advertised by radios. This command also enables a dynamic update of a channel list. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-list [2.4GHz|5GHz|dynamic]

channel-list dynamic channel-list [2.4GHz|5GHz] <CHANNEL-LIST>

Parameters channel-list dynamic dynamic Enables a dynamic update of a channel list channel-list [2.4GHz|5GHz] <CHANNEL-LIST>

2.4GHz

<CHANNEL-LIST>

5GHz

<CHANNEL-LIST>

Configures the channel list advertised by radios operating in the 2.4 GHz mode

<CHANNEL-LIST> Specify the list of channels separated by commas or hyphens. Configures the channel list advertised by radios operating in the 5.0 GHz mode

<CHANNEL-LIST> Specify the list of channels separated by commas or hyphens. Example rfs6000-81742D(config-rf-domain-default)#channel-list 2.4GHz 1-10 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes the list of channels configured on the selected RF Domain for 2.4 GHz and 5.0 GHz bands. Also disables dynamic update of a channel list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 377 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.3 contact rf-domain-mode commands Configures the network administrators contact details. The network administrator is responsible for addressing problems impacting the network. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax contact <WORD>

Parameters contact <WORD>

contact <WORD>

Specify contact details, such as name and number. Example rfs6000-81742D(config-rf-domain-default)#contact Bob+14082778691 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes a network administrators contact details Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 378 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.4 control-vlan rf-domain-mode commands Configures the VLAN designated for traffic control in this RF Domain Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Parameters control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]

[<1-4094>|

<VLAN-ALIAS-

NAME>]

Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the control VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Example rfs6000-81742D(config-rf-domain-default)#control-vlan 1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Disables the VLAN designated for controlling RF Domain traffic Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 379 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.5 controller-managed rf-domain-mode commands Configures the adopting controller (wireless controller, access point, or service platform) as this RF Domains manager. In other words, the RF Domain is controller managed, and the managing controller is the device managing the RF Domain. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller-managed Parameters None Example rfs4000-229D58(config-rf-domain-test)#controller-managed rfs4000-229D58(config-rf-domain-test)#commit rfs4000-229D58(config-rf-domain-test)#show context rf-domain test country-code in controller-managed network-alias techPubs host 192.168.13.8 network-alias techPubs address-range 192.168.13.10 to 192.168.13.15 service-alias testing index 10 proto 9 destination-port range 21 21 rfs4000-229D58(config-rf-domain-test)#

Related Commands no Removes the adopting controller or service platform as this RF Domains manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 380 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.6 country-code rf-domain-mode commands Configures a RF Domains country of operation. Since device channels transmit in specific channels unique to the country of operation, it is essential to configure the country code correctly or risk using illegal operation. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax country-code <WORD>

Parameters country-code <WORD>

country-code

<WORD>

Configures the RF Domains country of operation Specify the two (2) letter ISO-3166 country code. Example rfs6000-81742D(config-rf-domain-default)#country-code ?

WORD The 2 letter ISO-3166 country code ae United Arab Emirates ag Antigua and Barbuda ai Anguilla al Albania an Dutch Antilles ar Argentina at Austria au Australia ba Bosnia-Herzegovina bb Barbados bd Bangladesh be Belgium bf Burkina Faso

--More--

rfs6000-81742D(config-rf-domain-default)#

rfs6000-81742D(config-rf-domain-default)#country-code us rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes or resets this RF Domains configured country of operation Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 381 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.7 geo-coordinates rf-domain-mode commands Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a map. Use this command to define the geographical area where a common set of device configurations are deployed and managed by this RF Domain policy. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>

Parameters geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>

geo-coordinates

<-90.0000-

90.0000> <-

180.0000-180.0000>

Configures the geo-coordinates of this RF Domain

<-90.0000-90.0000> Specify the latitude from -90.0000 - 90.0000.

-180.0000-180.0000 Specify the longitude from -180.0000 - 180.0000. Example nx9500-6C8809(config-rf-domain-TechPubs)#geo-coordinates 12.971599 77.594563 nx9500-6C8809(config-rf-domain-TechPubs)#show context rf-domain TechPubs location Bangalore geo-coordinates 12.9716 77.5946 timezone Asia/Calcutta country-code in use database-policy default use nsight-policy AP-rfd control-vlan 1 controller-managed use license WEBF nx9500-6C8809(config-rf-domain-TechPubs)#

Related Commands no Removes or resets this RF Domains configured geo-coordinates Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 382 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.8 layout rf-domain-mode commands Configures the RF Domain layout in terms of area, floor, and location on a map. It allows users to place APs across the deployment map. A maximum of 256 layouts is permitted. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax layout [area|description|floor|map-location] {(area|description|floor|map-

location)}

layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|

map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|

floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}

Parameters layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|

map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|

floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}

layout Configures the RF Domains layout in terms of area, floor, and location on a map These are recursive parameters and you can configure one or all of these parameters. area <AREA-NAME> Configures the RF Domains layout in terms of the area of location description <LINE>

<AREA-NAME> Specify the area name. After configuring the RF Domains area of functioning, optionally specify the floor name (and number), description, and/or the location on map. Configures a description for this RF Domain

<LINE> Specify a description that enables you to identify the RF Domain. For a multi-

worded string, use double quotes. floor <FLOOR-

NAME> <1-4094>

Configures the RF Domains layout in terms of the floor name and number

<FLOOR-NAME> Specify the floor name. map-location <URL>

units [feet|meters]

<1-4094> Optional. Specifies the floor number from 1 - 4094. The default floor number is 1. After configuring the RF Domains floor name (and number), optionally specify the area name, description, and/or the location on map. Configures the location of the RF Domain on the map

<URL> Specify the URL to configure the map location. units [feet|meters] Configures the map units. The options are: feet or meters feet Configures the map units in terms of feet meters Configures the map units in terms of meter After configuring the location of the RF Domain on the map, optionally specify the area name, floor name (and number), and/or description. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 383 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#layout map-location www.firstfloor.com units meters area HamiltonAve floor Floor1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes the RF Domain layout details Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 384 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.9 location rf-domain-mode commands Configures the RF Domains physical locations name. The location could be as specific as the building name or floor number. Or it could be generic and include an entire site. The location defines the physical area where a set of devices with common configurations are deployed and managed by a RF Domain policy. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax location <WORD>

Parameters location <WORD>

location <WORD>

Configures the RF Domain location by specifying the area or building name

<WORD> Specify the location. Example rfs6000-81742D(config-rf-domain-default)#location SanJose rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes the RF Domain location Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 385 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.10 location-server rf-domain-mode commands Configures the L-Sense servers IP address or hostname on the selected RF Domain. When configured, the AP7522, AP7532, AP7562, AP8432 and AP8533 model access points, within the RF Domain, extract and forward client-location related data to the specified L-Sense server. L-Sense is a highly scalable indoor locationing platform that gathers location-related analytics, such as visitor trends, peak and off-peak times, dwell time, heat-maps, etc. to enable entrepreneurs deeper visibility at a venue. To enable the location tracking system, the L-Sense server should be up and running and the RF Domain Sensor configuration should point to the L-sense server. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax location-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}

Parameters location-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}

location-server 1 ip

<LSENSE-SERVER-

IP/HOSTNAME>

port

[443|<1-65535>]

Configures the LSENSE server parameters 1 Sets the server ID as 1. As of now only one L-Sense server can be configured. ip <LSENSE-SERVER-IP/HOSTNAME> Specify the servers IPv4 address/host-

name. This is the L-Sense server designated to receive RSSI scan data from a WiNG dedicated sensor. Optional. Configures the port where the LSENSE server is reachable. The options are:

443 Configures port 443. This is the default setting.

<1-65535> Alternately, specify a port as the LSENSE server port from 1 - 65535. Example nx9500-6C8809(config-rf-domain-test)#location-server 1 ip 192.168.13.20 port 200 nx9500-6C8809(config-rf-domain-test)#show context rf-domain test no country-code location-server 1 ip 192.168.13.20 port 200 nx9500-6C8809(config-rf-domain-test)#

Related Commands no Removes the LSENSE server configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 386 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.11 mac-name rf-domain-mode commands Configures a relevant name for each MAC address. Use this command to associate client names to specific connected client MAC addresses for improved client management. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-name <MAC> <NAME>

Parameters mac-name <MAC> <NAME>

mac-name <MAC>

<NAME>

Assigns a user-friendly name to this RF Domains member access points connected client to assist in its easy recognition

<MAC> Specify the MAC address

<NAME> Specify the client name for the specified MAC address. The name spec-

ified here will be used in events and statistics. Example rfs6000-81742D(config-rf-domain-default)#mac-name 11-22-33-44-55-66 TestDevice rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes the MAC address to name mapping Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 387 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.12 no rf-domain-mode commands Negates a command or reverts configured settings to their default. When used in the config RF Domain mode, the no command negates or reverts RF Domain settings. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [alias|channel-list|contact|control-vlan|controller-managed|country-code|

geo-coordinates|layout|location|location-server|mac-name|nsight-sensor|

override-smartrf|override-wlan|sensor-server|stats|timezone|tree-node|use]

no [adoption-mode|channel-list [2.4GHz|5GHz|dynamic]|contact|control-vlan|

controller-managed|country-code|location|location-server 1|mac-name <MAC>||

nsight-sensor|sensor-server <1-3>|stats update-interval|timezone|tree-node]

no alias [address-range|host|network|network-group [address-range|host|network]|

network-service|number|string|vlan] <ALIAS-NAME>

no layout {(area <AREA-NAME>|floor <FLOOR-NAME>)}

no override-smartrf channel-list [2.4GHz|5GHz]

no override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool [<1-4094>|all]|

wep128 [key <1-3>|transmit-key]|wpa-wpa2-psk]

no use [database-policy|license|nsight-policy|smart-rf-policy|wips-policy]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this RF Domains settings based on the parameters passed Example The following example shows the default RF Domain settings before the no commands are executed:

rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#

rfs6000-81742D(config-rf-domain-default)#no channel-list 2.4GHz 1-10 rfs6000-81742D(config-rf-domain-default)#no mac-name 11-22-33-44-55-66 rfs6000-81742D(config-rf-domain-default)#no location rfs6000-81742D(config-rf-domain-default)#no control-vlan Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 388 GLOBAL CONFIGURATION COMMANDS The following example shows the default RF Domain settings after the no commands are executed:

rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 389 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.13 override-smart-rf rf-domain-mode commands Enables dynamic channel switching for Smart RF radios. This command allows you to configure an override list of channels that Smart RF can use for channel compensations on 2.4 GHz and 5.0 GHz radios. When a radio fails or is faulty, a Smart RF policy provides automatic recovery by instructing neighboring access points to increase their transmit power to compensate for the coverage loss. Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events and can ensure availability of adequate detector coverage. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>

Parameters override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>

override-smartrf channel-list 2.4GHz

<CHANNEL-LIST>

5GHz

<CHANNEL-LIST>

Enables dynamic channel switching for Smart RF radios Configures a list of channels for 2.4 GHz and 5.0 GHz Smart RF radios Selects the 2.4 GHz Smart RF radio channels

<CHANNEL-LIST> Specify a list of channels separated by commas. Selects the 5.0 GHz Smart RF radio channels

<CHANNEL-LIST> Specify a list of channels separated by commas. Example rfs6000-81742D(config-rf-domain-default)#override-smartrf channel-list 2.4GHz 1,2,3 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Related Commands no Removes the override-smartrf list of channels configured for 2.4 GHz and 5.0 GHz radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 390 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.14 override-wlan rf-domain-mode commands Configures RF Domain level overrides for a WLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool|wep128|wpa-wpa2-psk]

override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-

pool <1-4094> {limit <0-8192>}]

override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]

override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key

<1-4>]

Parameters override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-

pool <1-4094> {limit <0-8192>}]

<WLAN-NAME>

shutdown ssid <SSID>

template

<TEMPLATE-

NAME>

vlan-pool

<1-4094>

{limit <0-8192>}

Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Shuts down WLAN operation on all mapped radios Configures a override SSID associated with this WLAN

<SSID> Specify the SSID (should not exceed 32 characters in length). Each WLAN provides associated wireless clients with a SSID. This has limitations, because it requires wireless clients to associate with different SSIDs to obtain QoS and security policies. However, a WiNG-managed RF Domain can have WLANs assigned and advertise a single SSID, and yet allow users to inherit different QoS or security policies. Configures a template name for this RF Domain

<TEMPLATE-NAME> Specify the template name (should not exceed 32 characters in length). Configures the override VLANs available to this WLAN

<1-4094> Specify the VLAN ID from 1 - 4094. limit <0-8192> Optional. Sets a limit to the number of users on this VLAN from 0 -

8192. The default is 0. Controllers and service platforms allow the mapping of a WLAN to more than one VLAN. Wireless clients associating with a WLAN are assigned VLANs, from the pool representative of the WLAN, in a way that ensures proper load balancing across VLANs. Clients are tracked per VLAN, and assigned to the least used/loaded VLAN. Client VLAN usage is tracked on a per-WLAN basis. The maximum allowed client limit is 8192 per VLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 391 GLOBAL CONFIGURATION COMMANDS override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]

<WLAN-NAME>

wpa-wpa2-psk

<PASSPHRASE>

Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Overrides a WLANs existing WPA-WPA2 pre-shared key or passphrase at the RF Domain level. WPA2 is a newer 802.11i standard that provides wireless security that is stronger than Wi-Fi Protected Access (WPA) and WEP.

<PASSPHRASE> Specify a WPA-WPA2 key or passphrase. It is an alphanumeric string of 8 to 64 ASCII characters or 64 HEX characters as the primary string, which both the transmitting and receiving authenticators must share in this new override PSK. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the you the necessity of entering the 256-bit key each time keys are generated. override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key

<1-4>]

<WLAN-NAME>

Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Overrides a WLANs existing WEP128 keys at the RF Domain level (not the profile level). WEP128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-business user needs for the simple encryption of wireless data on the WLAN. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. Configures the WEP128 key. A total of four keys can be configured.

<1-4> Select the key index from 1- 4. hex Configures a hexadecimal key wep128 key <1-4> hex

[0 <WORD>|

2 <WORD>]

0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key The following parameter is common to both clear-text and encrypted key options:

<WORD> Specify the WEP128/Keyguard key (should not exceed 26 hexadecimal characters in length). transmit-key

<1-4>

Configures transmit WEP/Keyguard key settings

<1-4> Transmit the key identified by the key index specified here. Specify the index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 392 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#override-wlan test vlan-pool 2 limit 20 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Related Commands no Resets the override WLAN settings its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 393 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.15 sensor-server rf-domain-mode commands Configures an AirDefense sensor server on this RF Domain. Sensor servers allow network administrators to monitor and download data from multiple sensors remote locations using Ethernet TCP/IP or serial communications. This enables administrators to respond quickly to interferences and coverage problems. The Wireless Intrusion Protection System (WIPS) protects the controller managed network, wireless clients and access point radio traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat. In addition to dedicated AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the controller). Unique WIPS server configurations can be used by RF Domains to ensure a WIPS server configuration is available to support the unique data protection needs of individual RF Domains. WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point radio(s) available to each controller managed WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz bands. Sensor support requires a AirDefense WIPS Server on the network. Sensor functionality is not provided by the access point alone. The access point works in conjunction with a dedicated WIPS server. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

Parameters sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}

sensor-server <1-3>

Configures an AirDefense sensor server parameters

<1-3> Select the server ID from 1 - 3. The server with the lowest defined ID is reached first. The default is 1. ip <IP/HOSTNAME>

Configures the (non DNS) IPv4 address of the sensor server

<IP/HOSTNAME> Specify the sensor servers IPv4 address or hostname. port [443|<1-65535>] Optional. Configures the sensor server port. The options are:

443 Configures port 443, the default port used by the AirDefense server. This is the default setting.

<1-65535> Allows you to select a WIPS/AirDefense sensor server port from 1 - 65535 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 394 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#sensor-server 2 ip 172.16.10.3 port 443 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Related Commands no Disables an AirDefense sensor server parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 395 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.16 stats rf-domain-mode commands Configures stats settings that define how RF Domain statistics are updated Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax stats update-interval stats update-interval [<5-300>|auto]

Parameters stats update-interval [<5-300>|auto]

stats update-interval

[<5-300>|auto]

Configures stats related settings on this RF Domain Configures the interval at which RF Domain statistics are updated. The options are:

<5-300> Specify an update interval from 5 - 300 seconds. auto The RF Domain manager automatically adjusts the update interval based on the load. This is the default setting. Example rfs6000-81742D(config-rf-domain-default)#stats update-interval 200 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Related Commands no Resets stats related settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 396 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.17 timezone rf-domain-mode commands Configures the RF Domains geographic time zone. By default all WiNG devices are shipped with the time zone and time format set to Universal Time Coordinated (UTC) and 24-hour clock respectively. If the time zone is not reset, all devices within the RF Domain will display time relative to the UTC - Greenwich Time. Resetting the time zone is recommended, especially for RF Domains deployed across different geographical locations. The time zone can either be set on a specific device or on an RF Domain. When configured as RF Domain setting, it applies to all devices within the domain. For more information on configuring the time zone on a device, see timezone. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax timezone <TIMEZONE>

Parameters timezone <TIMEZONE>

time <TIMEZONE>

Specify the RF Domains time zone. The configured time zone will apply to all devices within the selected RF Domain. Example rfs6000-81742D(config-rf-domain-default)#timezone America/Los_Angeles rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

The built-in WiNG timezones are:

nx9500-6C8809(config-rf-domain-test)#timezone <TAB>

Africa/ Asia/ Atlantic/ Australia/ CET CST6CDT EET EST5EDT Etc/ Europe/ MST7MDT Pacific/

PST8PDT US/ America/

nx9500-6C8809(config-rf-domain-test)#

Each of these time zones are further differentiated into sub time zones. For example, as shown in the following example:

nx9500-6C8809(config-rf-domain-test)#timezone Africa/

Africa/Cairo Africa/Casablanca Africa/Harare Africa/Johannesburg Africa/Lagos Africa/Nairobi nx9500-6C8809(config-rf-domain-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 397 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a RF Domains time zone Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 398 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.18 tree-node rf-domain-mode commands Configures the hierarchical (tree-node) structure under which this RF Domain is located Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tree-node [campus|city|country|region] {(campus|city|country|region)}

Parameters tree-node [campus|city|country|region] {(campus|city|country|region)}

tree-node campus city country region Usage Guidelines Configures the hierarchical tree structure defining the RF Domains location. The tree node hierarchy can be configured in any order, but will always appear as: country >

region > city > campus. Further, a higher node, such as country, cannot be defined under a lower node, such as region. An RF Domain can be placed under any one of the tree nodes. But, an RF Domain at the country level may have all four nodes defined. Whereas, an RF Domain restricted to a campus, cannot have the country, city, and region nodes. At least one of these four nodes must be defined. This feature is disabled by default. Configures the campus name for this RF Domain Configures the city for this RF Domain Configures the country for this RF Domain Configures the region for this RF Domain The following points need to be taken into consideration when creating the tree-node structure:

Adding a country first is a good idea since region, city, and campus can all be added as sub-nodes in the tree structure. However, the selected country is an invalid tree node until a RF Domain is mapped. A city and campus can be added in the tree structure as sub-nodes under a region. An RF Domain can be mapped anywhere down the hierarchy for a region and not just directly under a country. For example, a region can have city, campus, and one RF Domain mapped. Only a campus can be added as a sub-node under a city. The city is an invalid tree node until a RF Domain is mapped somewhere within the directory tree. A campus is the last node in the hierarchy before a RF Domain, and it is not valid unless it has a RF Domain mapped. After creating the tree structure do a commit and save for the tree configuration to take effect and persist across reboots. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 399 GLOBAL CONFIGURATION COMMANDS Example rfs4000-229D58(config-rf-domain-test)#tree-node campus EcoSpace City Bangalore country India region South rfs4000-229D58(config-rf-domain-test)#

rfs4000-229D58(config-rf-domain-test)#show context rf-domain test country-code in tree-node country India region South city Bangalore campus EcoSpace rfs4000-229D58(config-rf-domain-test)#

Related Commands no Removes the RF Domains tree-node configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 400 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.19 use rf-domain-mode commands Associates the following with an RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy, RTL server policy, and Web filtering license. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [database-policy|license|nsight-policy|rtl-server-policy|sensor-policy|

smart-rf-policy|wips-policy]

use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|

nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>

sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|

wips-policy <WIPS-POLICY-NAME>]

Parameters use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|

nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>|

sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|

wips-policy <WIPS-POLICY-NAME>]

use database-policy

<DATABASE-POLICY-

NAME>

license

<WEB-FILTERING-

LICENSE>

nsight-policy

<NSIGHT-POLICY-

NAME>

rtl-server-policy

<RTL-SERVER-

POLICY-NAME>

sensor-policy

<SENSOR-POLICY-

NAME>

Associates the following policies with the RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy. It also applies a Web filtering license to the selected RF Domain. Associates a database policy with the selected RF Domain

<DATABASE-POLICY-NAME> Specify the database policy name (should be existing and configured). Obtains the specified Web filtering license from the adopting controller

<WEB-FILTERING-LICENSE> Specify the WEBF license name. Associates an NSight policy to this RF Domain Specify the NSight policy name (should be existing and configured). When applied, it enables the RF Domain manager to gather statistical data from access points within the domain and forward to the NOC running the NSight server. For information on configuring NSight policy, see nsight-policy. Associates an Real Time Locationing (RTL) server policy with the selected RF Domain

<RTL-SERVER-POLICY-NAME> Specify the RTL server policy name (should be existing and configured Associates a sensor policy with the selected RF Domain

<SENSOR-POLICY-NAME> Specify the sensor policy name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 401 GLOBAL CONFIGURATION COMMANDS smart-rf-policy

<SMART-RF-POLICY-

NAME>

wips-policy

<WIPS-POLICY-

NAME>

Associates a Smart RF policy. When associated, the Smart RF policy provides automatic recovery from coverage loss (due to failed or faulty radio) by instructing neighboring access points to increase their transmit power. Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events to ensure availability of adequate detector coverage.

<SMART-RF-POLICY-NAME> Specify the Smart RF policy name (should be existing and configured). For more information on configuring smart RF policy, see SMART-

RF-POLICY. Associates a WIPS policy. A WIPS policy provides protection against wireless threats and acts as a key layer of security complementing wireless VPNs, encryption and authentication. A WIPS policy uses a dedicated sensor for actively detecting and locating rogue AP devices. After detection, WIPS uses mitigation techniques to block the devices by manual termination, air lockdown, or port suppression.

<WIPS-POLICY-NAME> Specify the WIPS policy name (should be existing and configured). For more information on configuring WIPS policy, see WIPS-POLICY. Example rfs6000-81742D(config-rf-domain-default)#use smart-rf-policy Smart-RF1 rfs6000-81742D(config-rf-domain-default)#use wips-policy WIPS1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us use smart-rf-policy Smart-RF1 use wips-policy WIPS1 sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#

Related Commands no sensor-server wips-policy smart-rf-policy Resets profiles used with this RF Domain Configures an AirDefense sensor server on this RF Domain Configures a WIPS policy Configures a Smart RF policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 402 GLOBAL CONFIGURATION COMMANDS 4.1.80 rfs6000 Global Configuration Commands Adds a RFS6000 wireless controller to the network Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rfs6000 <DEVICE-RFS6000-MAC>

Parameters rfs6000 <DEVICE-RFS6000-MAC>

<DEVICE-RFS6000-

MAC>

Specify the RFS6000s MAC address. Example rfs6000-81742D(config)#rfs6000 11-20-30-40-50-61 rfs6000-81742D(config-device-11-20-30-40-50-61)#

Related Commands no Removes a RFS6000 wireless controller from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 403 GLOBAL CONFIGURATION COMMANDS 4.1.81 rfs4000 Global Configuration Commands Adds an RFS4000 wireless controller to the network Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rfs4000 <DEVICE-RFS4000-MAC>

Parameters rfs4000 <DEVICE-RFS4000-MAC>

<DEVICE-RFS4000-

MAC>

Specify the RFS4000s MAC address. Example rfs6000-81742D(config)#rfs4000 10-20-30-40-50-60 rfs6000-81742D(config-device-10-20-30-40-50-60)#

Related Commands no Removes an RFS4000 wireless controller from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 404 GLOBAL CONFIGURATION COMMANDS 4.1.82 nx5500 Global Configuration Commands Adds an integrated NX5500 series service platform to the network. If a profile for this service platform is not available, a new profile is created. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nx5500 <DEVICE-NX5500-MAC>

Parameters nx5500 <DEVICE-NX5500-MAC>

<DEVICE-NX5500-

MAC>

Specifies the MAC address of a NX5500 series service platform. Example nx9500-6C8809(config)#nx5500 B4-C7-02-3C-FA-6E nx9500-6C8809(config-device-B4-C7-02-3C-FA-6E)#

Related Commands no Removes a NX5500 series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 405 GLOBAL CONFIGURATION COMMANDS 4.1.83 nx75xx Global Configuration Commands Adds an integrated NX75XX series service platform to the network. If a profile for service platform is not available, a new profile is created. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: In this guide, NX7500, NX7510, NX7520, and NX7530 are collectively represented as a NX75XX series service platform. Syntax nx75xx <DEVICE-NX75XX-MAC>

Parameters nx75xx <DEVICE-NX75XX-MAC>

<DEVICE-NX75XX-

MAC>

Specifies the MAC address of a NX75XX series service platform. Example nx9500-6C8809(config)#nx75xx B4-C9-81-6C-FA-7C nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#show context nx75xx B4-C9-81-6C-FA-7C use profile default-nx75xx use rf-domain default hostname nx75xx-6CFA7C nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#

nx75xx-6CFA7C>show adoption status Adopted by:

Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 1 days 01:57:50 ago Adopted Devices:

--------------------------------------------------------------------------------

-------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME

--------------------------------------------------------------------------------

-------

ap7131-11E6C4 5.8.6.0-008B configured No nx75xx-6CFA7C 1 days 01:49:44 1 days 01:59:34

--------------------------------------------------------------------------------

-------

Total number of devices displayed: 1 nx75xx-6CFA7C>

Related Commands no Removes a NX75XX series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 406 GLOBAL CONFIGURATION COMMANDS 4.1.84 nx9000 Global Configuration Commands Adds a NX95XX series service platform to the network Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nx9000 <DEVICE-NX95XX-MAC>

Parameters nx9000 <DEVICE-NX95XX-MAC>

<DEVICE-NX95XX-

MAC>

Specifies the MAC address of a NX95XX series service platform. Example nx9500-6C8809(config)#nx9000 B4-C7-89-7C-81-08 nx9500-6C8809(config-device-B4-C7-89-7C-81-08)#

Related Commands no Removes a NX95XX series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 407 GLOBAL CONFIGURATION COMMANDS 4.1.85 roaming-assist-policy Global Configuration Commands Configures a roaming assist policy that enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax roaming-assist-policy <POLICY-NAME>

Parameters roaming-assist-policy <POLICY-NAME>

<POLICY-NAME>

Specify the roaming assist policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#roaming-assist-policy testPolicy rfs6000-81742D(config-roaming-assist-policy-testPolicy)#?

Roaming Assist Mode commands:

action Configure action - action is either to log / deauth aggressiveness Configure the roaming aggressiveness for a wireless client detection-threshold Configure the detection threshold - when exceeded, client monitoring starts disassoc-time Configure the disassociation time - time after which a disassociation is sent handoff-count Configure the handoff count - number of times client can exceed handoff threshold handoff-threshold Configure the handoff threshold - when exceeds an action is taken. monitoring-interval Configure the monitoring interval - interval at which client monitoring occurs no Negate a command or set its defaults sampling-interval Configure the sampling interval - interval at which client rssi values are checked clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-roaming-assist-policy-testPolicy)#

Related Commands no Removes an existing roaming assist policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 408 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on roaming assist policy commands, see Chapter 30, ROAMING ASSIST POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 409 GLOBAL CONFIGURATION COMMANDS 4.1.86 role-policy Global Configuration Commands Configures a role-based firewall policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax role-policy <ROLE-POLICY-NAME>

Parameters role-policy <ROLE-POLICY-NAME>

<ROLE-POLICY-

NAME>

Specify the role policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#role-policy role1 rfs6000-81742D(config-role-policy-role1)#?

Role Policy Mode commands:

default-role Configuration for Wireless Clients not matching any role ldap-deadperiod Ldap dead period interval ldap-query Set the ldap query mode ldap-server Add a ldap server ldap-timeout Ldap query timeout interval no Negate a command or set its defaults user-role Create a role clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-role-policy-role1)#

Related Commands no Removes an existing role policy NOTE: For more information on role policy commands, see Chapter 18, ROLE-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 410 GLOBAL CONFIGURATION COMMANDS 4.1.87 route-map Global Configuration Commands Creates a dynamic BGP route map and enters its configuration mode BGP route maps are used by network administrators to define rules controlling redistribution of routes between routers and routing processes. These route maps are also used to control and modify routing information. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9600, VX9000 Syntax route-map <ROUTE-MAP-NAME>

Parameters route-map <ROUTE-MAP-NAME>

route-map

<ROUTE-MAP-NAME>

Creates a new BGP route map and enters its configuration mode Example nx9500-6C8809(config)#route-map test nx9500-6C8809(config-dr-route-map-test)#?

Route Map Mode commands:

deny Add a deny route map rule to deny set operations no Negate a command or set its defaults permit Add a permit route map rule to permit set operations clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-dr-route-map-test)#

Related Commands no Removes an existing dynamic BGP route map NOTE: For more information on BGP route maps, see Chapter 28, BORDER GATEWAY PROTOCOL. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 411 GLOBAL CONFIGURATION COMMANDS 4.1.88 routing-policy Global Configuration Commands Configures a routing policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax routing-policy <ROUTING-POLICY-NAME>

Parameters routing-policy <ROUTING-POLICY-NAME>

<ROUTING-POLICY-

NAME>

Specify the routing policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#routing-policy TestRoutingPolicy rfs6000-81742D(config-routing-policy-TestRoutingPolicy)#?

Routing Policy Mode commands:

apply-to-local-packets Use Policy Based Routing for packets generated by the device logging Enable logging for this Route Map no Negate a command or set its defaults route-map Create a Route Map use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-routing-policy-TestRoutingPolicy)#

Related Commands no Removes an existing routing policy NOTE: For more information on routing policy commands, see Chapter 24, ROUTING-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 412 GLOBAL CONFIGURATION COMMANDS 4.1.89 rtl-server-policy Global Configuration Commands The following table lists the Real Time Locationing (RTL) server policy configuration commands:

Table 4.45 RTL-Server-Policy Config Command Command rtl-server-policy rtl-server-policy-

mode commands Description Configures an RTL server policy and enters its configuration mode Summarizes RTL server policy configuration mode commands Reference page 4-414 page 4-416 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 413 GLOBAL CONFIGURATION COMMANDS 4.1.89.1 rtl-server-policy rtl-server-policy Creates an RTL server policy and enters its configuration mode. When configured and applied on an access point (AP7522, AP7532, AP8432, AP8533), this policy enables the sending of RSSI feeds from the access point to a third-party Euclid server. The RTL server policy provides the exact location (URL) of the Euclid server. The RSSI feeds sent are as per the sensor-policy configured and applied on the access point. Therefore, ensure that a sensor-policy, with the rssi-interval-duration specified, is existing, configured, and applied on the access points. To initiate RSSI feed posts to the Euclid locationing server, use the RTL server policy on the:

APs device/profile context, or APs RF Domain context. Supported in the following platforms:

Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax rtl-server-policy <RTL-POLICY-NAME>

Parameters rtl-server-policy <RTL-POLICY-NAME>

<RTL-SERVER-

POLICY-NAME>

Specify the RTL server policy name. If a RTL server policy with the specified name does not exist, it is created. Example nx9500-6C8809(config)#rtl-server-policy test nx9500-6C8809(config-rtl-server-policy-test)#?

RTL Server Policy Mode commands:

no Negate a command or set its defaults url Configure the url to send the real time RSSI feed to clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-rtl-server-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 414 GLOBAL CONFIGURATION COMMANDS Related Commands no use (profile/device configuration mode command) use (RF Domain configuration mode command) Removes an existing RTL server policy Documents the use command in a devices profile or device configuration context. Use this option to associate this RTL server policy to an access points profile or device. Documents the use command in the RF Domain configuration context. Use this option to associate this RTL server policy to an RF Domain. When associated, the policy is applied to all access points within the RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 415 GLOBAL CONFIGURATION COMMANDS 4.1.89.2 rtl-server-policy-mode commands rtl-server-policy The following table summarizes the RTL server policy configuration mode commands:

Table 4.46 RTL-Server-Policy Mode Commands Command url no Description Configures the third-party Euclid RTL servers URL Removes the Euclid RTL servers URL configuration Reference page 4-417 page 4-418 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 416 GLOBAL CONFIGURATION COMMANDS 4.1.89.2.1 url rtl-server-policy-mode commands Configures the third-party Euclid RTL servers exact location. This is the URL at which the server can be reached. Supported in the following platforms:

Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax url <URL>

Parameters url <URL>

url <URL>

Configures the Euclid servers URL

<URL> Specify the URL. Example nx9500-6C8809(config-rtl-server-policy-test)#url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#

Related Commands no Removes the Euclid servers configured URL Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 417 GLOBAL CONFIGURATION COMMANDS 4.1.89.2.2 no rtl-server-policy-mode commands Removes the Euclid locationing servers URL configuration Supported in the following platforms:

Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax no url Parameters no url no url Example Removes the Euclid servers URL The following example displays the RTL server policy test settings before the no command is executed:

nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#

nx9500-6C8809(config-rtl-server-policy-test)#no url The following example displays the RTL server policy test settings after the no command is executed:

nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test nx9500-6C8809(config-rtl-server-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 418 GLOBAL CONFIGURATION COMMANDS 4.1.90 schedule-policy Global Configuration Commands The following table summarizes the config schedule policy commands:

Table 4.47 Schedule-Policy Config Commands Command schedule-policy schedule-policy-mode commands Description Creates a schedule policy and enters its configuration mode Lists schedule policy configuration mode commands Reference page 4-420 page 4-421 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 419 GLOBAL CONFIGURATION COMMANDS 4.1.90.1 schedule-policy schedule-policy Creates a schedule policy and enters its configuration mode. A schedule policy strategically enforces application filter policy rules during administrator assigned intervals. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax schedule-policy <SCHEDULE-POLICY-NAME>

Parameters schedule-policy <SCHEDULE-POLICY-NAME>

schedule-policy

<SCHEDULE-POLICY-

NAME>

Specify the Schedule policy name. If the policy does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#schedule-policy test nx9500-6C8809(config-schedule-policy-test)#?

Schedule Policy Mode commands:

description Schedule policy description no Negate a command or set its defaults time-rule Configure a time rule clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-schedule-policy-test)#

Related Commands no Removes an existing schedule policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 420 GLOBAL CONFIGURATION COMMANDS 4.1.90.2 schedule-policy-mode commands schedule-policy The following table summarizes schedule-policy configuration mode commands:

Table 4.48 Schedule-Policy-Config-Mode Commands Command description time-rule no Description Configures a description for this schedule policy that differentiates it from other policies with similar time rule configurations Configures a time rule specifying the days and optionally the start and end times Removes the selected schedule policys settings Reference page 4-422 page 4-423 page 4-425 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 421 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.1 description schedule-policy-mode commands Configures a description for this schedule policy that differentiates it from other policies with similar time rule configurations Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>

Parameters description <WORD>

description <WORD> Configures this schedule policys description

<WORD> Enter a description not exceeding 80 characters in length. The description should uniquely identify the policy from other policies with similar configuration. Example nx9500-6C8809(config-schedule-policy-test)#description "Denies social networking sites on weekdays."

nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."

nx9500-6C8809(config-schedule-policy-test)#

Related Commands no Removes this schedule policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 422 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.2 time-rule schedule-policy-mode commands Configures a time rule specifying the days and optionally the start and end times. When applied to an application-policy rule, the schedule policy defines the enforcement time of the rule. For more information, see application-policy. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|

weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}

Parameters time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|

weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}

time-rule days

[sunday|monday|

tuesday|wednesday|

thursday|friday|

saturday|all|

weekends|

weekdays]

start-time <HH:MM>

[end-time <HH:MM>]

Configures a time rule in days and hours and minutes A schedule policy can have more than one non-overlapping time-rules. The following time-rules, having overlapping time periods, are invalid: weekdays, start-time 9:30 am, end-time 11:30 pm and all, start-time 12:00 am, end-time 12:00 pm. Specifies the days on which the time rule is applicable sunday Applicable on Sundays only monday Applicable on Mondays only tuesday Applicable on Tuesdays only wednesday Applicable on Wednesdays only thursday Applicable on Thursdays only friday Applicable on Fridays only saturday Applicable on Saturdays only weekends Applicable on weekends only weekdays Applicable on weekdays only all Applicable on all days After specifying the days of enforcement, specify the following:

start-time Optional. Specifies the enforcement start time

<HH:MM> Specify the start time in hours and minutes in the HH:MM format. If no start time is specified, the time rule is enforced, on the specified days, at all time. end-time Specifies the enforcement end time

<HH:MM> Specify the time in hours and minutes in the HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 423 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-schedule-policy-test)#time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."

time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#

Related Commands no Removes the time-rule from the schedule policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 424 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.3 no schedule-policy-mode commands Removes the selected schedule policys settings Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [description|time-rule]

no description no time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|

all|weekends|weekdays]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes the schedule policys settings based on the parameters passed Example The following example displays the schedule policy test settings before the no commands have been executed:

nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."

time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#

The following example displays the schedule policy test settings after the no commands have been executed:

nx9500-6C8809(config-schedule-policy-test)#no description nx9500-6C8809(config-schedule-policy-test)#no time-rule days weekdays nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test nx9500-6C8809(config-schedule-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 425 GLOBAL CONFIGURATION COMMANDS 4.1.91 self Global Configuration Commands Displays the logged devices configuration context Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax self Parameters None Example rfs6000-81742D(config)#self rfs6000-81742D(config-device-00-15-70-37-FA-BE)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 426 GLOBAL CONFIGURATION COMMANDS 4.1.92 sensor-policy Global Configuration Commands The following table summarizes the config sensor policy commands:0 Table 4.49 Sensor-Policy Config Commands Command sensor-policy sensor-policy-mode commands Description Creates a sensor policy and enters its configuration mode Lists sensor policy configuration mode commands Reference page 4-428 page 4-430 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 427 GLOBAL CONFIGURATION COMMANDS 4.1.92.1 sensor-policy sensor-policy In addition to WIPS support, sensor functionality has now been added for the Extreme Networks MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers, and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator defined interval and send to a dedicated MPact Server resource, as opposed to an ADSP server. The MPact Server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices for MPact administrators. Use this command to configure a policy defining the mode of scanning, the channels to scan (in case scan-

mode is set to custom-scan), and the RSSI interval. For the sensor policy to take effect, use the policy either in the access points RF Domain context or in the access points device context. NOTE: If a dedicated sensor is utilized with WIPS for rogue detection, any sensor policy used is discarded and not utilized by the sensor. To avoid this situation, use ADSP channel settings exclusively to configure the sensor and not the WiNG interface. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax sensor-policy <SENSOR-POLICY-NAME>

Parameters sensor-policy <SENSOR-POLICY-NAME>

sensor-policy

<SENSOR-POLICY-

NAME>

Specify the Sensor policy name. If a sensor policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length. No character spaces are permitted within the name. Define a name unique to the policys channel and scan mode configuration to help differentiate it from other policies. Usage GuidelinesADSP WIPS/MPact Access point radios, functioning as sensors, along with AirDefense WIPS servers protect networks from attacks and unauthorized access. These access point sensors scan legal channels and (based on a WIPS policy settings) identify events potential threats to the managed network. These events are reported to the AirDefense WIPS server, which determines the action taken. In addition to WIPS support, sensor functionality has now been added for the MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator-defined interval and send to a dedicated MPact server resource, as opposed to an ADSP server. The MPact server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices. With the introduction of the MPact platform, the data collected by access point radios, functioning as sensors, is also used by the MPact server to provide real-time locationing services. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 428 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#sensor-policy test nx9500-6C8809(config-sensor-policy-test)#?

Sensor Policy Mode commands:

custom-scan Channel configuration in Custom Scan channels no Negate a command or set its defaults rssi-interval-duration Configure the periodicity of sensding RSSI info from sensor to server scan-mode Configure the Scan mode clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-sensor-policy-test)#

Related Commands no Removes an existing sensor policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 429 GLOBAL CONFIGURATION COMMANDS 4.1.92.2 sensor-policy-mode commands sensor-policy The following table summarizes sensor-policy configuration mode commands:

Table 4.50 Sensor-Policy-Config-Mode Commands Command custom-scan rssi-interval-

duration scan-mode no Description Configures the channel scanning settings when the scan-mode is set to custom-scan Configures the interval at which dedicated sensors scan channels for RSSI assessments and send the collected data to a specified MPact server resource Configures the mode of scanning used by dedicated sensors (access point radios) Removes or reverts to default a sensor policys settings Reference page 4-431 page 4-433 page 4-434 page 4-435 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 430 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.1 custom-scan sensor-policy-mode commands Configures the channel scanning settings when the scan-mode is set to custom-scan NOTE: If the mode of scanning is set to Custom-Scan, use this command to configure the channels to be scanned. To set the mode of scanning to custom-scan, use the scan-mode > Custom-Scan command. For more information, see scan-mode. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax custom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Bth|40MHz-

Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>

Parameters custom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Both|

40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>

custom-scan channel-frequency

<CHANNEL-

FREQUENCY>

Configures the custom-scan channel frequency, channel width, and scan weight Configures the channel frequency. A list of unique channels in the 2.4, 4.9, 5 and 6 GHz band can be collectively or individually enabled for customized channel scans and RSSI reporting.

<CHANNEL-FREQUENCY> Specify a single or multiple, comma-separated channel frequencies. width [20MHz|

40MHz-Both|

40MHz-Lower|

40MHz-Upper|

80MHz]

scan-weight <SCAN-

WEIGHT>

Configures the channel width. When custom channels are selected for RSSI scans, each selected channel can have its own width defined. Numerous channels have their width fixed at 20MHz, 802.11a radios support 20 and 40 MHz channel widths. 20MHz Sets the channel width as 20 Mhz 40Mhz-Both Sets the channel width as 40Mhz-Both 40Mhz-Lowe Sets the channel width as 40Mhz-Lower 40Mhz-Upper Sets the channel width as 40Mhz-Upper 80Mhz Sets the channel width as 80Mhz Configures the scan-weight (scanning duration) for each of the selected channels. Each selected channel can have its weight prioritized in respect to the amount of time a scan is permitted within the defined RSSI scan interval.

<SCAN-WEIGHT> Specify the scan weightage given to each selected channel. Example nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 431 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#

Related Commands no Removes channels from the channels-to-scan list in case of scan-mode being set to Custom-Scan Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 432 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.2 rssi-interval-duration sensor-policy-mode commands Configures the interval, in seconds, at which dedicated sensors scan channels for RSSI assessments and send the RSSI data obtained to a specified server resource Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rssi-interval-duration <1-60>

Parameters rssi-interval-duration <1-60>

rssi-interval-duration

<1-60>

Configures the RSSI interval duration in seconds. This is the interval at which the sensor scans channels for RSSI data and forwards the data to a dedicated server resource. The server calculates real-time locations of Wi-Fi devices based on the this data.

<1-60> Specify the RSSI interval duration from 1 - 60 seconds. The default is 1 second. The channels scanned for RSSI assessment depends on the scan-mode selected. For more information, see scan-mode and custom-scan. Ensure that the servers IP address or hostname has been configured in the access point sensors RF Domain context. Example nx9500-6C8809(config-sensor-policy-test)#rssi-interval-duration 30 nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#

Related Commands no Resets the interval at which RSSI data is collected and sent by the sensor to the MPact server host to default (1 second) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 433 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.3 scan-mode sensor-policy-mode commands Configures the mode of scanning used by dedicated sensors (access point radios) Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax scan-mode [Channel-Lock|Custom-Scan|Default-Scan]

scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>

scan-mode [Custom-Scan|Default-Scan]

Parameters scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>

scan-mode Channel-Lock lock-frequency

<LOCK-

FREQUENCY>

Configures the mode of scanning used by the sensors to scan system-defined or user-

defined channels for RSSI assessments. The options are: Channel-Lock, Custom-Scan, and Default-Scan. Configures the mode of scanning as Channel-Lock lock-frequency <LOCK-FREQUENCY> Locks scanning for RSSI data to one specific channel identified by the <LOCK-FREQUENCY> parameter.

<LOCK-FREQUENCY> Specify the channel frequency in MHz. When specified, the sensor scans only this specified channel. scan-mode [Custom-Scan|Default-Scan]

scan-mode Custom-Scan Default-Scan Configures the mode of scanning used by the sensor. The options are: channel-lock, custom-scan, and default-scan. Configures the mode of scanning as Custom-Scan Select this option to restrict scanning to user-defined channels. If selecting this option, use the custom-scan > channel-frequency command to configure the channels scanned by the dedicated sensor. For more information, see custom-scan. Configures the mode of scanning as Default-Scan. This is the default setting. By default the system has a fixed, built-in list of channels that are scanned. These channels are hard coded in a spread pattern of 1, 6, 11, 36, 40, 44, and 48. When selected, the dedicated sensor scans only these default channels. Example nx9500-6C8809(config-sensor-policy-test)#scan-mode Custom-Scan nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#

Related Commands no Reverts the scan-mode to default (Default-Scan) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 434 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.4 no sensor-policy-mode commands Removes or reverts to default a sensor policys settings Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [custom-scan|rss1-interval-duration|scan-mode]

no custom-scan channel-frequency <CHANNEL-FREQUENCY-LIST>

no rssi-interval-duration no scan-mode Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts to default a sensor policy settings based on the parameters passed Example The following example shows the sensor-policy test settings before the no commands are executed:

nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#

The scan-mode is reverted back to the default setting of 'Default-Scan', as show in the following output:

nx9500-6C8809(config-sensor-policy-test)#no scan-mode nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Default-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#

nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2412 nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2417 nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Default-Scan nx9500-6C8809(config-sensor-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 435 GLOBAL CONFIGURATION COMMANDS 4.1.93 smart-rf-policy Global Configuration Commands Configures a Smart RF policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax smart-rf-policy <SMART-RF-POLICY-NAME>

Parameters smart-rf-policy <SMART-RF-POLICY-NAME>

Specify the Smart RF policy name. If the policy does not exist, it is created.

<SMART-RF-POLICY-

NAME>

Example rfs6000-81742D(config)#smart-rf-policy test rfs6000-81742D(config-smart-rf-policy-test)#?

Smart RF Mode commands:

area Specify channel list/ power for an area assignable-power Specify the assignable power during power-assignment avoidance-time Time to avoid a channel once dfs/adaptivity avoidance is necessary channel-list Select channel list for smart-rf channel-width Select channel width for smart-rf coverage-hole-recovery Recover from coverage hole enable Enable this smart-rf policy group-by Configure grouping parameters interference-recovery Recover issues due to excessive noise and interference neighbor-recovery Recover issues due to faulty neighbor radios no Negate a command or set its defaults sensitivity Configure smart-rf sensitivity (Modifies various other smart-rf configuration items) smart-ocs-monitoring Smart off channel scanning clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or term rfs6000-81742D(config-smart-rf-policy-test)#

Related Commands no Removes an existing Smart RF policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 436 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on Smart RF policy commands, see Chapter 19, SMART-RF-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 437 GLOBAL CONFIGURATION COMMANDS 4.1.94 t5 Global Configuration Commands Invokes the configuration mode of a t5 wireless controller A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5 <T5-DEVICE-MAC>

Parameters t5 <T5-DEVICE-MAC>

t5 <T5-DEVICE-MAC> Specify the t5 devices MAC address. The system enters the identified devices configuration mode. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. After logging on to the T5 device, use the cpe keyword and configure the following mandatory settings:

vlan Set a VLAN from 1 - 4,094 used as a virtual interface for connections between the T5 controller and its managed CPE devices. start ip Set a starting IP address used in a range of addresses available to T5 con-

troller connecting CPE devices. end ip Set an end IP address used in a range of addresses available to T5 controller connecting CPE devices. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 438 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#t5 B4:C7:99:ED:5C:2C rfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#?

T5 Device Mode commands:

adsp-sensor-server Configure WIPS server bridge Sets MAC address expiration time in the bridge address table clock Configure clock options cpe T5 CPE configuration hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults ntp Configure NTP override-wlan Configure RF Domain level overrides for wlan password T5 password configuration qos QOS settings radius-server Radius server settings t5 T5 configuration t5-logging Modify message logging facilities use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#

Related Commands no Removes the t5 wireless controller identified by the devices MAC address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 439 GLOBAL CONFIGURATION COMMANDS 4.1.95 web-filter-policy Global Configuration Commands The following table lists commands that enable you to enter the Web Filter policy configuration mode:

Table 4.51 Commands Creating a Web-Filter-Policy Reference Description Creates a new Web Filter policy and enters its configuration mode page 4-552 page 4-443 Summarizes the Web Filter policy configuration mode commands Command web-filter-policy web-filter-policy-

config-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 440 GLOBAL CONFIGURATION COMMANDS 4.1.95.1 web-filter-policy web-filter-policy Creates a Web Filtering policy and enters its configuration mode. This policy defines rules managing the local classification database and the cached data. When configured and applied, this policy also enables caching of URL classification records in a local database in a controller-based, hierarchically managed (HM) deployment. Use this option to specify the following: classification server details, size of the local database, time for which records are cached in the database, the action taken in case the classification server is unavailable, etc. The Web filter policy is applied at the profile or device level. For more information on URL filtering, see url-filter. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax web-filter-policy <WEB-FILTER-POLICY-NAME>

Parameters web-filter-policy <WEB-FILTER-POLICY-NAME>

<WEB-FILTER-

POLICY-NAME>

Specify the Web filter policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#web-filter-policy test nx9500-6C8809(config-web-filter-policy-test)#?

Content Filter Mode commands:

cache-max-recs Configure the maximum number of records in local cache cache-save-interval Configure the time a record is saved in local cache logging Select logging method no Negate a command or set its defaults server-host Configure URL classification server if it is not the adopted controller server-unreachable Permission to access website when classification server is unreachable (default is pass) uncategorized-url Permission to website when server fails to classify the URL request (default is pass) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-web-filter-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 441 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing Web filter policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 442 GLOBAL CONFIGURATION COMMANDS 4.1.95.2 web-filter-policy-config-mode commands web-filter-policy The following table summarizes Web Filter policy configuration mode commands:

Table 4.52 Web-Filter-Policy-Config-Mode Commands Command cache-max-recs cache-save-

interval logging no server-host Description Configures the maximum number of records (URLs and Web pages) cached in the local database Configures the maximum time period for which a record (URL and Web page classification entry) is cached in the local database Configures the method used to log Web filtering events Reverts the selected Web Filter policy settings to default Configures the URL classification server in case it is not the adopted controller Configures the action taken in case the classification server is unreachable server-

unreachable uncategorized-url Configures the action taken in case the classification server fails to classify a URL/Website Reference page 4-444 page 4-445 page 4-446 page 4-447 page 4-448 page 4-449 page 4-450 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 443 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.1 cache-max-recs web-filter-policy-config-mode commands Configures the maximum number of records (URL and Web page classification entries) cached in the local database Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cache-max-recs <1-1000000>

Parameters cache-max-recs <1-1000000>

cache-max-recs

<1-1000000>

Specify the maximum number of records cached in the local database from 1 -

1000000. When configuring this value take into consideration the type of device using the Web Filter policy. The value should approximately be as per the following information:

NX95XX <1-1000000> (default is 100000) NX75XX <1-100000> (default is 10000) RFS Switches <1-10000> (default is 1000) Access Points <1-1500> (default is 500) Example nx9500-6C8809(config-web-filter-policy-test)#cache-max-recs 9000 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 nx9500-6C8809(config-web-filter-policy-test)#

Related Commands no Reverts the maximum number of stored records to default. Please see the parameter table for default values for the different device types. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 444 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.2 cache-save-interval web-filter-policy-config-mode commands Configures the maximum time period, in seconds, for which a record (URL and Web page classification entry) is cached in the local database. Once the specified time has expired the record is removed from the cache. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cache-save-interval <1-86400>

Parameters cache-save-interval <1-86400>

cache-save-interval

<1-86400>

Specify the maximum time period, in seconds, for which a record is cached in the local database from 1 - 86400 seconds. The default is 60 seconds. Example nx9500-6C8809(config-web-filter-policy-test)#cache-save-interval 1000 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 nx9500-6C8809(config-web-filter-policy-test)#

Related Commands no Reverts the maximum time period for which a record (URL and Web page classification entry) is cached in the local database to default (60) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 445 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.3 logging web-filter-policy-config-mode commands Configures the method used to log Web filtering events Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [logfile|syslog]

Parameters logging [logfile|syslog]

logging

[logfile|syslog]

Selects the method used to log Web filtering events. The options are:

logfile Logs to a file. syslog Logs to the syslog server. This is the default setting. Example nx9500-6C8809(config-web-filter-policy-test)#logging logfile nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test logging logfile nx9500-6C8809(config-web-filter-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 446 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.4 no web-filter-policy-config-mode commands Reverts the selected Web Filter policy settings to default, based on the parameters passed Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [cache-max-recs|cache-save-interval|server-host|server-unreachable|

uncategorized-url]

Parameters no <PARAMETERS>

no <PARAMETERS>

Reverts the selected Web Filter policy settings to default, based on the parameters passed. Specify the parameters to revert back to default value. Example The following example shows the Web Filter policy test settings before the no command is executed:

nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#

nx9500-6C8809(config-web-filter-policy-test)#no cache-max-recs nx9500-6C8809(config-web-filter-policy-test)#no server-unreachable nx9500-6C8809(config-web-filter-policy-test)#no uncategorized-url The following example shows the Web Filter policy test settings after the no command has been executed:

nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-save-interval 1000 server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 447 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.5 server-host web-filter-policy-config-mode commands Configures the URL classification server in case it is not the adopted controller Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id

<SERVER-MiNT-ID>]

Parameters server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id

<SERVER-MiNT-ID>]

server-host

[host-name

<SERVER-HOST-

NAME>|

ip-address

<SERVER-IPv4>|

mint-id

<SERVER-MiNT-ID>]

Use one of the following options to identify the URL classification server:

host-name <SERVER-HOST-NAME> Identifies the classification server by its hostname. ip-address <SERVER-IPv4> Identifies the classification server by its IP address. mint-id <SERVER-MiNT-ID> Identifies the classification server by its MiNT ID. Example nx9500-6C8809(config-web-filter-policy-test)#server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#

Related Commands no Removes the URL classification servers configured details, such as hostname, ip-address, or MiNT ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 448 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.6 server-unreachable web-filter-policy-config-mode commands Configures the action taken in case the classification server is unreachable. Based on the value configured the an end users request for a URL/Website is either blocked or passed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-unreachable [block|pass]

Parameters server-unreachable [block|pass]

server-unreachable

[block|pass]

Configures the action taken in case the classification server is unreachable. The options are:

block Denies access to the requested URL/Website pass Allows access to the requested URL/Website. This is the default value. Example nx9500-6C8809(config-web-filter-policy-test)#server-unreachable block nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#

Related Commands no Reverts the action taken in case the classification server is unreachable to default

(pass) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 449 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.7 uncategorized-url web-filter-policy-config-mode commands Configures the action taken in case the classification server fails to classify a URL/Website. Based on the value configured the an end users request for a non-classified URL/Website is either blocked or passed. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax uncategorized-url [block|pass]

Parameters uncategorized-url [block|pass]

uncategorized-url

[block|pass]

Configures the action taken in case the classification server fails to classify a URL/

Website. The options are:

block Denies access to the requested non-classified URL/Website pass Allows access to the requested non-classified URL/Website. This is the default value. Example nx9500-6C8809(config-web-filter-policy-test)#uncategorized-url block nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#

Related Commands no Reverts the action taken in case the classification server fails to classify a URL/

Website to default (pass) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 450 GLOBAL CONFIGURATION COMMANDS 4.1.96 wips-policy Global Configuration Commands Configures a WIPS policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wips-policy <WIPS-POLICY-NAME>

Parameters wips-policy <WIPS-POLICY-NAME>

<WIPS-POLICY-

NAME>

Specify the WIPS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#wips-policy test rfs6000-81742D(config-wips-policy-test)#?

Wips Policy Mode commands:

ap-detection Rogue AP detection enable Enable this wips policy event Configure an event history-throttle-duration Configure the duration for which event duplicates are not stored in history interference-event Specify events which will contribute to smart-rf wifi interference calculations no Negate a command or set its defaults signature Signature to configure use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wips-policy-test)#

Related Commands no Removes an existing WIPS policy NOTE: For more information on WIPS policy commands, see Chapter 20, WIPS-

POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 451 GLOBAL CONFIGURATION COMMANDS 4.1.97 wlan Global Configuration Commands Configures a Wireless Local Area Network (WLAN) The following table lists WLAN configuration mode commands:

Table 4.53 WLAN-Policy Config Commands Description Creates a new wireless LAN and enters its configuration mode Summarizes WLAN configuration mode commands Reference page 4-453 page 4-457 Command wlan wlan-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 452 GLOBAL CONFIGURATION COMMANDS 4.1.97.1 wlan wlan Configures a WLAN and enters its configuration mode. Use this command to modify an existing WLANs settings. A WLAN is a data-communications system that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or Orthogonal Frequency Division Multiplexing (OFDM) modulation based technology. WLANs do not require lining up devices for line-of-

sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point to another, like a cellular phone system. WLANs can therefore be configured around the needs of specific user groups, even when they are not in physical proximity. WLANs can provide an abundance of services, including data communications (allowing mobile devices to access applications), e-mail, file, and print services or even specialty applications (such as guest access control and asset tracking). Each WLAN configuration contains encryption, authentication and QoS policies and conditions for user connections. Connected access point radios transmit periodic beacons for each BSS. A beacon advertises the SSID, security requirements, supported data rates of the wireless network to enable clients to locate and connect to the WLAN. WLANs are mapped to radios on each access point. A WLAN can be advertised from a single access point radio or can span multiple access points and radios. WLAN configurations can be defined to provide service to specific areas of a site. For example, a guest access WLAN may only be mapped to a 2.4 GHz radio in a lobby or conference room providing limited coverage, while a data WLAN is mapped to all 2.4 GHz and 5.0 GHz radios at the branch site to provide complete coverage. The maximum number of WLANs supported by different devices is as follows:

RFS4000 and RFS6000 wireless controllers 32 WLANs NX95XX series service platforms 1000 WLANs Access Points 16 WLANs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wlan {<WLAN-NAME>|containing <WLAN-NAME>}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 453 GLOBAL CONFIGURATION COMMANDS Parameters wlan {<WLAN-NAME>|containing <WLAN-NAME>}

wlan

<WLAN-NAME>

containing

<WLAN-NAME>

Configures a new WLAN

<WLAN-NAME> Optional. Specify the WLAN name. The WLAN name could be a logical representation of its coverage area (for example, engineering, marketing, etc.).The name cannot exceed 32 characters. Optional. Configures an existing WLANs settings

<WLAN-NAME> Specify a sub-string in the WLAN name. Use this parameter to filter a WLAN. This option allows you to select and enter the configuration mode of one or more WLANs. Example rfs6000-81742D(config)#wlan 1 rfs6000-81742D(config-wlan-1)#?

Wireless LAN Mode commands:

accounting Configure how accounting records are created for this wlan acl Actions taken based on ACL configuration [packet drop being one of them]

answer-broadcast-probes Include this wlan when responding to probe requests that do not specify an SSID assoc-response Association response threshold association-list Configure the association list for the wlan authentication-type The authentication type of this WLAN bridging-mode Configure how packets to/from this wlan are bridged broadcast-dhcp Configure broadcast DHCP packet handling broadcast-ssid Advertise the SSID of the WLAN in beacons captive-portal-enforcement Enable captive-portal enforcement on the wlan client-access Enable client-access (normal data operations) on this wlan client-client-communication Allow switching of frames from one wireless client to another on this wlan client-load-balancing Configure load balancing of clients on this wlan controller-assisted-mobility Enable controller assisted mobility to determine wireless clients' VLAN assignment data-rates Specify the 802.11 rates to be supported on this wlan description Configure a description of the usage of this wlan downstream-group-addressed-forwarding Enable downstream group addressed forwarding of packets dpi Deep-Packet-Inspection (Application Assurance) dynamic-vlan-assignment Dynamic VLAN assignment configuration eap-types Configure client access based on eap-type used for authentication encryption-type Configure the encryption to use on this wlan enforce-dhcp Drop packets from Wireless Clients with static IP address fast-bss-transition Configure support for 802.11r Fast Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 454 GLOBAL CONFIGURATION COMMANDS BSS Transition http-analyze Enable HTTP URL analysis on the wlan ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) kerberos Configure kerberos authentication parameters mac-authentication Configure mac-authentication related parameters no Negate a command or set its defaults nsight Nsight Server opendns OpenDNS related config for this wlan protected-mgmt-frames Protected Management Frames (IEEE 802.11w) related configuration (DEMO FEATURE) proxy-arp-mode Configure handling of ARP requests with proxy-arp is enabled proxy-nd-mode Configure handling of IPv6 ND requests with proxy-nd is enabled qos-map Support the 802.11u QoS map element and frame radio-resource-measurement Configure support for 802.11k Radio Resource Measurement radius Configure RADIUS related parameters registration Enable dynamic registration of device

(or) user relay-agent Configure dhcp relay agent info shutdown Shutdown this wlan ssid Configure the Service Set Identifier for this WLAN t5-client-isolation Isolate traffic among clients t5-security Configure encryption and authentication time-based-access Configure client access based on time use Set setting to use vlan Configure the vlan where traffic from this wlan is mapped vlan-pool-member Add a member vlan to the pool of vlans for the wlan (Note:

configuration of a vlan-pool overrides the 'vlan' configuration) wep128 Configure WEP128 parameters wep64 Configure WEP64 parameters wing-extensions Enable support for WiNG-Specific extensions to 802.11 wireless-client Configure wireless-client specific parameters wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wlan-1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 455 GLOBAL CONFIGURATION COMMANDS The following example shows how to use the containing keyword to enter the configuration mode of an existing WLAN:

rfs6000-81742D(config)#wlan containing wlan1 rfs6000-81742D(config-wlan-{'containing': 'wlan1'})#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 456 GLOBAL CONFIGURATION COMMANDS 4.1.97.2 wlan-mode commands wlan This section documents the WLAN configuration mode commands in detail. Use the (config) instance to configure WLAN related parameters. To navigate to this instance, use the following command:

<DEVICE>(config)#wlan <WLAN-NAME>

The following table summarizes WLAN configuration mode commands:

Table 4.54 WLAN-Mode Commands Description Defines a WLAN accounting configuration Defines the actions based on an ACL rule configuration Allows a WLAN to respond to probes for broadcast ESS Configures a minimum receive signal strength indication (RSSI) value, below which the WLAN does not send a response to a clients association request Attaches an existing global association list to a WLAN Sets a WLANs authentication type Configures how packets to/from this WLAN are bridged Configures broadcast DHCP packet handling Advertises a WLANs SSID in beacons Configures a WLANs captive portal enforcement Reference page 4-460 page 4-462 page 4-464 page 4-465 page 4-466 page 4-467 page 4-469 page 4-470 page 4-471 page 4-472 Enables WLAN client access (normal data operations) Allows the switching of frames from one wireless client to another on a WLAN Enables load balancing of WLAN clients page 4-473 page 4-474 page 4-475 Enables controller assisted mobility to determine wireless clients' VLAN assignment Specifies the 802.11 rates supported on the WLAN Sets a WLANs description Enables forwarding of downstream packets addressed to a group page 4-477 page 4-478 page 4-481 page 4-482 Command accounting acl answer-

broadcast-probes assoc-response association-list authentication-

type bridging-mode broadcast-dhcp broadcast-ssid captive-portal-

enforcement client-access client-client-

communication client-load-

balancing controller-

assisted-mobility data-rates description downstream-

group-addressed-

forwarding dpi dynamic-vlan-

assignment eap-types encryption-type Enables extraction of metadata flows on the WLAN Configures dynamic VLAN assignment on this WLAN Configures client access based on eap-type used for authentication Sets a WLANs encryption type page 4-483 page 4-485 page 4-486 page 4-488 4 - 457 Access Point, Wireless Controller and Service Platform CLI Reference Guide GLOBAL CONFIGURATION COMMANDS Table 4.54 WLAN-Mode Commands Description Drops packets from clients with a static IP address Command enforce-dhcp fast-bss-transition Configures support for 802.11r fast BSS transition on a WLAN http-analyze ip ipv6 kerberos mac-

authentication no nsight opendns Enables HTTP URL analysis on the WLAN Configures IPv4 settings on this WLAN Configures IPv6 settings on this WLAN Configures Kerberos authentication parameters Configures MAC authentication parameters Negates a command or reverts settings to their default Enables retention of guest client history in the NSight database Configures the device ID, which is embedded in each DNS query packet going out from an access point, wireless controller, or service platform to the OpenDNS server Enables and configures the WLAN's frame protection mode and security association Enables the proxy ARP mode for ARP requests Configures the proxy ND mode for this WLAN member clients as either strict or dynamic Enables support for 802.11u QoS map element and frames Enables support for 802.11k radio resource measurement Configures RADIUS parameters Configures settings enabling dynamic registration of devices. Use this command to specify the mode of registration and to configure corresponding parameters. Enables support for DHCP relay agent information (option 82) feature on this WLAN Auto shuts down a WLAN Configures a WLANs SSID shutdown ssid t5-client-isolation Disallows clients connecting to the WLAN to communicate with one protected-mgmt-

frames proxy-arp-mode proxy-nd-mode qos-map radio-resource-

measurement radius registration relay-agent t5-security time-based-

access use vlan vlan-pool-

member wep128 wep64 another Configures T5 PowerBroadband security settings Configures time-based client access Defines WLAN mode configuration settings Sets VLAN assignment for a WLAN Adds a member VLAN to the pool of VLANs for a WLAN Configures WEP128 parameters Configures WEP64 parameters Reference page 4-489 page 4-490 page 4-491 page 4-493 page 4-494 page 4-495 page 4-497 page 4-498 page 4-502 page 4-503 page 4-505 page 4-507 page 4-508 page 4-509 page 4-510 page 4-511 page 4-513 page 4-516 page 4-518 page 4-520 page 4-521 page 4-522 page 4-524 page 4-525 page 4-529 page 4-530 page 4-532 page 4-534 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 458 GLOBAL CONFIGURATION COMMANDS Table 4.54 WLAN-Mode Commands Command wing-extensions wireless-client wpa-wpa2 service Reference Description page 4-536 Enables support for WiNG specific extensions to 802.11 page 4-539 Configures the transmit power for wireless clients transmission page 4-542 Modifies TKIP and CCMP (WPA/WPA2) related parameters Invokes service commands applicable in the WLAN configuration mode page 4-545 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 459 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.1 accounting wlan-mode commands Defines the WLANs accounting configuration Accounting is the method of collecting user data, such as start and stop times, executed commands (for example, PPP), number of packets and number of bytes received and transmitted. This data is sent to the security server for billing, auditing, and reporting purposes. Accounting enables wireless network administrators to track the services and network resources accessed and consumed by users. When enabled, this feature allows the network access server to report and log user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA policies. Accounting can be enabled and applied to access point, wireless controller, or service platform managed WLANs. Once enabled, it uniquely logs accounting events specific to the managed WLAN. Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a location outside of the access point for periodic network and user permission administration. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [radius|syslog|wait-client-ip]

accounting [radius|wait-client-ip]

accounting syslog [host|mac-address-format]

accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-

controller|through-rf-domain-manager]}

accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-

hyphen|quad-dot] case [lower|upper]

Parameters accounting [radius|wait-client-ip]

accounting radius accounting wait-client-ip Enables support for WLAN RADIUS accounting messages. This option is disabled by default. When enabled, the WLAN uses an external RADIUS resource for accounting. Use the use > aaa-policy > <AAA-POLICY-NAME> command to associate an appropriate AAA policy with this WLAN. This AAA policy should be existing and should define the accounting, authentication, and authorization parameters. Enables waiting for clients IP before commencing the accounting procedure Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 460 GLOBAL CONFIGURATION COMMANDS accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-

controller|through-rf-domain-manager]}

accounting syslog host

<IP/HOSTNAME>

port <1-65535>

proxy-mode

[none|

through-controller|

through-rf-domain-

manager]

Enables support for WLAN syslog accounting messages in standard syslog format

(RFC 3164). This option is disabled by default. Configures a syslog destination hostname or IP address for accounting records

<IP/HOSTNAME> Specify the IP address or name of the destination host. Optional. Configures the syslog servers UDP port (this port is used to connect to the server)

<1-65535> Specify the port from 1 - 65535. Default port is 514. Optional. Configures the request proxying mode none Requests are directly sent to the server from the device through-controller Proxies requests through the controller (access point, wireless controller, or service platform) configuring the device through-rf-domain-manager Proxies requests through the local RF Domain manager accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-

hyphen|quad-dot] case [lower|upper]

Enables support for WLAN syslog accounting messages accounting syslog mac-address-format Configures the MAC address format used in syslog messages middle-hyphen no-delim pair-colon pair-hyphen Configures the MAC address format with middle hyphen (AABBCC-DDEEFF) Configures the MAC address format without delimitors (AABBCCDDEEFF) Configures the MAC address format with pair-colon delimitors (AA:BB:CC:DD:EE:FF) Configures the MAC address format with pair-hyphen deli mi tors (AA-BB-CC-DD-EE-

FF). This is the default setting. Configures the MAC address format with quad-dot delimitors (AABB.CCDD.EEFF) The following keywords are common to all:

case Specifies MAC address case (upper or lower) quad-dot case [lower|upper]

lower Specifies MAC address is filled in lower case (for example, aa-bb-cc-dd-ee-

ff) upper Specifies MAC address is filled in upper case (for example, AA-BB-CC-DD-

EE-FF) Example rfs6000-81742D(config-wlan-test)#accounting syslog host 172.16.10.4 port 2 proxy-

mode none rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 rfs6000-81742D(config-wlan-test)#

Related Commands no Disables sending of accounting message to the RADIUS server, disables syslog accounting, or disables waiting for clients IP before sending accounting messages Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 461 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.2 acl wlan-mode commands Defines the actions taken based on an ACL rule configuration Use the use > ip-access-list <IP-ACCESS-LIST-NAME> command to associate an ACL with the WLAN. The ACL rule is determined by the associated ACLs configuration. A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms allowing and denying data traffic in respect to administrator defined rules. For an overview of firewalls, see FIREWALL-POLICY. WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, administrators can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic. Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|

disassociate}

Parameters acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|

disassociate}

acl exceed-rate Sets the action taken based on an ACL rule configuration (for example, drop a packet) exceed-rate Action is taken when the rate exceeds a specified value Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 462 GLOBAL CONFIGURATION COMMANDS wireless-client-

denied-traffic

<0-1000000>

Sets the action to deny traffic to the wireless client when the rate exceeds the specified value

<0-1000000> Specify a allowed rate threshold of disallowed traffic in packets/sec. If enabled, this option allows an associated client, exceeding the thresholds configured for storm traffic, to be either de-authenticated or blacklisted depending on the action selected. This option is disabled by default. blacklist <0-86400> Optional. When enabled, sets the time interval, in seconds, to blacklist a wireless client.

<0-86400> Configures the blacklist duration from 0 - 86400 seconds. Offending clients are re-authenticated once the blacklist duration, configured here, has exceeded. disassociate Optional. When enabled, disassociates a wireless client Example rfs6000-81742D(config-wlan-test)#acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#

Related Commands no Removes the action (de-authenticate or blacklist) to be taken when an associated client exceeds the thresholds configured for storm traffic Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 463 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.3 answer-broadcast-probes wlan-mode commands Allows the WLAN to respond to probe requests that do not specify a SSID. These probes are for broadcast ESS. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax answer-broadcast-probes Parameters None Example rfs6000-81742D(config-wlan-1)#answer-broadcast-probes rfs6000-81742D(config-wlan-1)#

Related Commands no Does not allow this WLAN to respond to probe requests that do not specify a SSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 464 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.4 assoc-response wlan-mode commands Configures the deny-threshold and rssi-threshold values. These threshold values are considered when responding to a clients association/authentication request. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]

Parameters assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]

assoc-response deny-threshold

<1-12>

rssi-threshold

<-100--40>

Configures the association response thresholds Configures the number of times association/authentication request, from a client, is ignored if the RSSI is less than the configured RSSI threshold. This option is disabled by default.

<1-12> Specify the deny-threshold from 1 - 12. Configures an association response RSSI threshold value. If the RSSI is below the configured threshold value, the clients association/authentication request is ignored. This option is disabled by default. rssi-threshold <-100--40> Specify a value from -100 - -40 dBm. Example nx9500-6C8809(config-wlan-test)#assoc-response rssi-threshold -60 nx9500-6C8809(config-wlan-test)#assoc-response deny-threshold 4 nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none assoc-response rssi-threshold -60 assoc-response deny-threshold 4 registration user group-name guest expiry-time 2000 agreement-refresh 14400 nx9500-6C8809(config-wlan-test)#

Related Commands no Removes the configured deny-threshold and rssi-threshold values Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 465 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.5 association-list wlan-mode commands Attaches an existing global association list with this WLAN. For more information on global association lists, see global-association-list. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax association-list global <GLOBAL-ASSO-LIST-NAME>

Parameters association-list global <GLOBAL-ASSO-LIST-NAME>

association-list global <GLOBAL-

ASSO-LIST-NAME>

Attaches an existing global association list with this WLAN

<GLOBAL-ASSO-LIST-NAME> Specify the global association list name (should be existing and configured). Example rfs4000-229D58(config-wlan-test)#association-list global my-clients rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none association-list global my-clients rfs4000-229D58(config-wlan-test)#

Related Commands no Removes the global association lists association with this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 466 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.6 authentication-type wlan-mode commands Sets the WLANs authentication type Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]

Parameters authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]

authentication-type Configures a WLANs authentication type eap eap-mac eap-psk The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none. Configures EAP authentication (802.1X) EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the access point. All other packet types are blocked until the authentication server

(typically, a RADIUS server) verifies the clients identity. If using EAP authentication ensure that a AAA policy is mapped to the WLAN. Configures EAP or MAC authentication depending on client. (This setting is valid only with the None encryption type. EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device. Configures EAP authentication or pre-shared keys depending on client (This setting is only valid with Temporal Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption types). When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and pass code during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 467 GLOBAL CONFIGURATION COMMANDS Configures Kerberos authentication (encryption will change to WEP128 if its not already WEP128 or Keyguard) Kerberos (designed and developed by MIT) provides strong authentication for client/

server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). Configures MAC authentication (RADIUS lookup of MAC address) MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, Firewall policies and time and date restrictions. MAC authentication can only identify devices, not users. If using mac authentication ensure that an AAA policy is mapped to the WLAN. No authentication is used or the client uses pre-shared keys. This is the default value. kerberos mac none Example rfs6000-81742D(config-wlan-test)#authentication-type eap rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#

Related Commands no Resets the authentication mode used with this WLAN to default (none/pre-shared keys) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 468 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.7 bridging-mode wlan-mode commands Configures how packets are bridged to and from a WLAN Use this command to define which VLANs are bridged, and how local VLANs are bridged between the wired and wireless sides of the network. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bridging-mode [local|tunnel]

Parameters bridging-mode [local|tunnel]

Configures how packets are bridged to and from a WLAN. The options are local and tunnel. Bridges packets between WLAN and local ethernet ports. This is the default mode. Tunnels packets to other devices (typically a wireless controller or service platform) bridging-mode local tunnel Example rfs6000-81742D(config-wlan-test)#bridging-mode local rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 469 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.8 broadcast-dhcp wlan-mode commands Configures broadcast DHCP packet handling parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax broadcast-dhcp validate-offer Parameters broadcast-dhcp validate-offer validate-offer Enables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air. This option is disabled by default. Example rfs6000-81742D(config-wlan-test)#broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Disables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 470 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.9 broadcast-ssid wlan-mode commands Advertises the WLAN SSID in beacons. If a hacker tries to isolate and hack a SSID from a client, the SSID will display since the ESSID is in the beacon. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax broadcast-ssid Parameters None Example rfs6000-81742D(config-wlan-1)#broadcast-ssid rfs6000-81742D(config-wlan-1)#

Related Commands no Disables the broadcasting of the WLANs SSID in beacons Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 471 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.10 captive-portal-enforcement wlan-mode commands Configures the captive portal enforcement on this WLAN. When enabled, provides successfully authenticated guests temporary and restricted access to the network. If enforcing captive-portal authentication, specify the captive-portal policy to use. For more information, see use. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}

Parameters captive-portal-enforcement {fall-back}

captive-portal-

enforcement fall-back Enables captive portal enforcement on a WLAN. This option is disabled by default. Optional. Enforces captive portal validation if WLAN authentication fails (applicable to EAP or MAC authentication only) Example rfs6000-81742D(config-wlan-test)#captive-portal-enforcement fall-back rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Disables captive portal enforcement Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 472 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.11 client-access wlan-mode commands Enables WLAN client access (for normal data operations) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-access Parameters None Example rfs6000-81742D(config-wlan-1)#client-access rfs6000-81742D(config-wlan-1)#

Related Commands no Disables WLAN client access Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 473 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.12 client-client-communication wlan-mode commands Allows frame switching from one client to another on a WLAN This option is enabled by default. It allows clients to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting is also disabled on that WLAN, clients are not permitted to interoperate. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-client-communication Parameters None Example rfs6000-81742D(config-wlan-1)#client-client-communication rfs6000-81742D(config-wlan-1)#

Related Commands no Disables frame switching from one client to another on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 474 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.13 client-load-balancing wlan-mode commands Enforces client load balancing on a WLANs access point radios. AP6522, AP6532, AP6562, AP81XX, and AP82XX models can support 256 clients per access point. AP6511 and AP6521 models can support up to 128 clients per access point. When enforced, loads are balanced by ignoring association and probe requests. Probe and association requests are not responded to, forcing a client to associate with another access point radio. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-load-balancing {allow-single-band-clients|band-discovery-intvl|

capability-ageout-time|max-probe-req|probe-req-invl}

client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-

intvl <0-10000>|capability-ageout-time <0-10000>}

client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>

Parameters client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-

intvl <0-10000>|capability-ageout-time <0-10000>}

band-discovery-intvl

<0-10000>

client-load-balancing Configures client load balancing on a WLAN allow-single-band-

clients [2.4ghz|5ghz]

Optional. Allows single band clients to associate even during load balancing 2.4ghz Enables load balancing across 2.4 GHz channels 5ghz Enables load balancing across 5.0 GHz channels This option is enabled by default for 2.4 and 5.0 GHz radios. Optional. Configures the interval to discover a client's band capability before connection

<0-10000> Specify a value from 0 - 10000 seconds. The default is 10 seconds. Optional. Configures a client's capability ageout interval. This is the time for which a clients capabilities are retained in the devices internal table. Once this time is exceeded the clients capabilities are aged out.

<0-10000> Specify a value from 0 - 10000 seconds. The default is 3600 seconds. client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>

capability-ageout-

time <0-10000>

client-load-balancing Configures WLAN client load balancing max-probe-req

[2.4ghz|5ghz]

<0-10000>

Optional. Configures client probe request interval limits for device association 2.4ghz Configures maximum client probe requests on 2.4 GHz radios 5ghz Configures maximum client probe requests on 5.0 GHz radios

<0-10000> Specify a client probe request threshold from 0 - 10000. The default for both 2.4 and 5.0 GHz radios is 60. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 475 GLOBAL CONFIGURATION COMMANDS probe-req-intvl

[2.4ghz|5ghz]

<0-10000>

Optional. Configures client probe request interval limits for device association 2.4ghz Configures the client probe request interval on 2.4 GHz radios 5ghz Configures the client probe request interval on 5.0 GHz radios

<0-10000> Specify a value from 0 - 10000. The default for both 2.4 and 5.0 GHz radios is 10 seconds. Example rfs6000-81742D(config-wlan-test)#client-load-balancing band-discovery-intvl 2 rfs6000-81742D(config-wlan-test)#client-load-balancing probe-req-intvl 5ghz 5 rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Disables client load balancing on a WLANs access point radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 476 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.14 controller-assisted-mobility wlan-mode commands Enables controller or service platform assisted mobility to determine a wireless clients VLAN assignment. When enabled, a controller or service platforms mobility database is used to assist in roaming between RF Domains. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller-assisted-mobility Parameters None Example rfs4000-229D58(config-wlan-test)#controller-assisted-mobility rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none controller-assisted-mobility rfs4000-229D58(config-wlan-test)#

Related Commands no Disables controller or service platform assisted mobility to determine a wireless clients VLAN assignment Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 477 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.15 data-rates wlan-mode commands Specifies the 802.11 rates supported on a WLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax data-rates [2.4GHz|5GHz]

data-rates 2.4GHz [b-only|bg|bgn|custom|default|g-only|gn]

data-rates 2.4GHz custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|

basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|

basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]

data-rates 5GHz [a-only|an|custom|default]

data-rates 5GHz custom [12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|

basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|

basic-mcs-1s|mcs-1s|mcs2s|mcs3s]

Parameters data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]

data-rates b-only bg bgn default g-only gn Specifies the 802.11 rates supported when mapped to a 2.4 GHz radio Uses rates that support only 11b clients Uses rates that support both 11b and 11g clients Uses rates that support 11b, 11g and 11n clients Uses the default rates configured for a 2.4 GHz radio Uses rates that support operation in 11g only Uses rates that support 11g and 11n clients data-rates 5GHz [a-only|an|default]

data-rates a-only an default Specifies the 802.11 rates supported when mapped to a 5.0 GHz radio Uses rates that support operation in 11a only Uses rates that support 11a and 11n clients Uses default rates configured for a 5.0 GHz data-rates [2.4GHz|5GHz] custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|

basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|

basic-54|basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]

data-rates

[2.4GHz|5GHz]

Specifies the 802.11 rates supported when mapped to a 2.4 GHz or 5.0 GHz radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 478 custom 1,11,2,5.5

[12,18,24,36,48,54,6,9, basic-1,basic-11, basic-12,basic-18, basic-2,basic-36, basic-48,basic-5.5, basic-54,basic-6, basic-9, basic-mcs-1s, mcs-1s,mcs2s, mcs-3s]

GLOBAL CONFIGURATION COMMANDS Configures a data rates list by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it is used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11'). The data-rates for 2.4 GHz and 5.0 GHz channels are the same with a few exceptions. The 2.4 GHz channel has a few extra data rates: 1, 11, 2, and 5.5. The following data rates are specific to the 2.4 GHz channel:

1 1-Mbps 11 11-Mbps 2 2-Mbps 5.5 5.5-Mbps The following data rates are common to both the 2.4 GHz and 5.0 GHz channels:

12 12 Mbps 18 18-Mbps 24 24 Mbps 36 36-Mbps 48 48-Mbps 54 54-Mbps 6 6-Mbps 9 9-Mbps basic-1 basic 1-Mbps basic-11 basic 11-Mbps basic-12 basic 12-Mbps basic-18 basic 18-Mbps basic-2 basic 2-Mbps basic-36 basic 36-Mbps basic-48 basic 48-Mbps basic-5.5 basic 5.5-Mbps basic-54 basic 54-Mbps basic-6 basic 6-Mbps basic-9 basic 9-Mbps basic-mcs-1s Modulation and coding scheme data rates for 1 Spatial Stream mcs-1s Applicable to 1-spatial stream data rates mcs-2s Applicable to 2-spatial stream data rates mcs-3s Applicable to 3-spatial stream data rates Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 479 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#data-rates 2.4GHz gn rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Resets the 802.11 data rates supported on a WLAN for the 2.4 GHz or 5.0 GHz radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 480 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.16 description wlan-mode commands Defines the WLAN description Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>

Parameters description <LINE>

<LINE>

Example Specify a WLAN description The WLANs description should help differentiate it from others with similar configurations. The description should not exceed 64 characters. rfs6000-81742D(config-wlan-test)#description TestWLAN rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Removes a WLANs configured description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 481 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.17 downstream-group-addressed-forwarding wlan-mode commands Enables forwarding of downstream broadcast/multicast (BC/MC) packets to a group on this WLAN. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax downstream-group-addressed-forwarding Parameters None Example rfs4000-229D58(config-wlan-test)#downstream-group-addressed-forwarding rfs4000-229D58(config-wlan-test)#

Related Commands no Disables forwarding of downstream BCMC packets to a group on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 482 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.18 dpi wlan-mode commands Enables DPI on this WLAN. When enabled, all traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpi metadata [http|ssl|tcp-rtt|voice-video]

Parameters dpi metadata [http|ssl|tcp-rtt|voice-video]

dpi metadata

[http|ssl|tcp-rtt|

voice-video]

Enables extraction of the following metadata flows:

http Extracts HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the NSight applications dashboard. This setting is disabled by default. ssl Extracts SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the NSight applications dashboard.This setting is disabled by default tcp-rtt Extracts Round Trip Time (RTT) information from Transmission Control Protocol (TCP) flows. However, this TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server is up and NSight analytics data collection is enabled. voice-video Extracts voice and video flows. When enabled, voice and video calls can be tracked by extracting parameters, such as packets transferred and lost, jitter, and application name. Most Enterprise VoIP applications like facetime, skype for business and VoIP terminals can be monitored for call quality and visualized on the NSight dashboard in manner similar to HTTP and SSL. Call quality and metrics can only be determined from calls established unencrypted. This setting is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 483 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#dpi metadata http rfs6000-81742D(config-wlan-test)#dpi metadata ssl rfs6000-81742D(config-wlan-test)#dpi metadata voice-video rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dpi metadata voice-video dpi metadata http dpi metadata ssl rfs6000-81742D(config-wlan-test)#

Related Commands no Disables extraction of metadata flows on the WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 484 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.19 dynamic-vlan-assignment wlan-mode commands Enables dynamic VLAN assignment on this WLAN, and adds or removes VLANs for the selected WLAN. Configure this feature to allow an override to the WLAN configuration. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS Access-Accept packet, and this feature is enabled, all client traffic is forward on that VLAN. If disabled, the RADIUS server returns VLAN-ID is ignored and the WLANs VLAN configuration is used. For more information, see vlan. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dynamic-vlan-assignment allowed-vlans <VLAN-ID>

Parameters dynamic-vlan-assignment allowed-vlans <VLAN-ID>

dynamic-vlan-

assignment allowed-vlans

<VLAN-ID>

Enables dynamic VLAN assignment and configures a list of VLAN IDs or VLAN alias allowed access to the WLAN Specify the list of VLAN IDs or the VLAN alias names. For example, 10-20, 25, 30-35,

$guest. For information on VLAN aliases, see alias. Example rfs4000-229D58(config-wlan-test)#dynamic-vlan-assignment allowed-vlans 10-20 rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dynamic-vlan-assignment allowed-vlans 10-20 rfs4000-229D58(config-wlan-test)#

Related Commands no Disables dynamic VLAN assignment on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 485 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.20 eap-types wlan-mode commands Configures client access based on the EAP type used Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|

tls|ttls)}

Parameters eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|

peap|sim|tls|ttls)}

eap-types

[allow|deny]

[aka|all|fast|peap|sim|

tls|ttls]

Configures a list of allowed or denied EAP types allow Configures a list of EAP types allowed for WLAN client authentication deny Configures a list of EAP types not allowed for WLAN client authentication The following EAP types are common to the allow and deny keywords:

aka Configures EAP Authentication and Key Agreement (AKA) and EAP-AKA (AKA Prime). EAP-AKA is one of the methods in the EAP authentication framework. It uses Universal Mobile Telecommunications System (UMTS) and Universal Subscriber Identity Module (USIM) for client authentication and key distribution. all Allows or denies usage of all EAP types on the WLAN. This is the default setting. fast Configures EAP Flexible Authentication via Secure Tunneling (FAST). EAP-FAST establishes a Transport Layer Security (TLS) tunnel, to verify client credentials, using Protected Access Credentials (PAC). peap Configures Protected Extensible Authentication Protocol (PEAP). PEAP or Protected EAP uses encrypted and authenticated TLS tunnel to encapsulate EAP. sim Configures EAP Subscriber Identity Module (SIM). EAP-SIM uses Global System for Mobile Communications (GSMC) SIM for client authentication and key distribution. tls Configures EAP Transport Layer Security (TLS). EAP-TLS is an EAP authentication method that uses PKI to communicate with a RADIUS server or any other authentication server. ttls Configures Tunneled Transport Layer Security (TTLS). EAP-TTLS is an extension of TLS. Unlike TLS, TTLS does not require every client to generate and install a CA-

signed certificate. These options are recursive, and more than one EAP type can be selected. The selected options are added to the allowed or denied EAP types list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 486 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#eap-types allow fast sim tls rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none eap-types allow fast sim tls rfs6000-81742D(config-wlan-test)#

Related Commands no Reverts to default setting - eap-types allow all Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 487 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.21 encryption-type wlan-mode commands Sets a WLANs encryption type Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax encryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]

Parameters encryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]

encryption-type ccmp keyguard none tkip-ccmp wep128 wep128-keyguard wep64 Configures the WLANs data encryption parameters Configures Advanced Encryption Standard (AES) Counter Mode CBC-MAC Protocol

(AES-CCM/CCMP) Configures Keyguard-MCM (Mobile Computing Mode) No encryption used. This is the default setting. Configures the TKIP and AES-CCM/CCMP encryption modes Configures WEP with 128 bit keys Configures WEP128 as well as Keyguard-MCM encryption modes Configures WEP with 64 bit keys. A WEP64 configuration is insecure when two WLANs are mapped to the same VLAN, and one uses no encryption while the other uses WEP. Example rfs6000-81742Dconfig-wlan-test)#encryption-type tkip-ccmp rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Resets the WLANs encryption type to default (none) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 488 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.22 enforce-dhcp wlan-mode commands Enables dropping of packets from clients with a static IP address. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforce-dhcp Parameters None Example rfs6000-81742D(config-wlan-test)#enforce-dhcp rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#

Related Commands no Disables dropping of packets from clients with a static IP address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 489 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.23 fast-bss-transition wlan-mode commands Enables support for 802.11r Fast-BSS Transition (FT) on the selected WLAN. This feature is disabled by default. 802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and restore it back to an original four message exchange process. The central application for the 802.11r standard is VOIP using mobile phones within wireless Internet networks. 802.11r FT redefines the security key negotiation protocol, allowing parallel processing of negotiation and requests for wireless resources. Enabling FT standards provides wireless clients fast, secure and seamless transfer from one base station to another, ensuring continuous connectivity. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax fast-bss-transition {over-ds}

Parameters fast-bss-transition {over-ds}

fast-bss-transition over-ds Enables 802.11r FT support on this WLAN over-ds Optional. Enables 802.11r client roaming over the Distribution System (DS). When enabled, all client communication with the target AP is via the current AP. This communication, carried in FT action frames, is first sent by the client to the current AP, then forwarded to the target AP through the controller. Example rfs6000-81742D(config-wlan-test)#fast-bss-transition rfs6000-81742D(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none fast-bss-transition rfs6000-81742D(config-wlan-test)#

Related Commands no Disables support for 802.11r Fast-BSS Transition (FT) on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 490 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.24 http-analyze wlan-mode commands Enables HTTP URL analysis on the WLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze [filter|syslog]

http-analyze filter [images|post|query-string]

http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|

through-controller|through-rf-domain-manager]}

Parameters http-analyze filter [images|post|query-string]

filter images post query-string Filters URLs, based on the parameters set, before forwarding them Filters out URLs referring to images (does not forward URL requesting images) Filters out URLs requesting POST (does not forward POST requests). This option is disabled by default. Removes query strings from URLs before forwarding them (forwards requests and no data). This option is disabled by default. http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|

through-controller|through-rf-domain-manager]}

syslog host <IP/

HOSTNAME>

port <1-65535>

proxy-mode

[none|

through-controller|

through-rf-domain-

manager]

Forwards client and URL information to a syslog server host <IP/HOSTNAME> Specify the syslog servers IP address or hostname Optional. Specifies the UDP port to connect to the syslog server from 1 - 65535 Optional. Specifies if the request is to be proxied through another device none Requests are sent directly to syslog server from device through-controller Proxies requests, to the syslog server, through the controller configuring the device through-rf-domain-manager Proxies requests, to the syslog server, through the local RF Domain manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 491 GLOBAL CONFIGURATION COMMANDS Example rfs4000-229D58(config-wlan-test)#http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controller rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controller rfs4000-229D58(config-wlan-test)#

Related Commands no Disables HTTP URL analysis on the WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 492 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.25 ip wlan-mode commands Configures Internet Protocol (IP) settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp]

ip arp [header-mismatch-validation|trust]

ip dhcp trust Parameters ip arp [header-mismatch-validation|trust]

ip arp header-mismatch-

validation trust Configures the IP settings for ARP packets Verifies mismatch of source MAC address in the ARP and Ethernet headers. This option is enabled by default. Sets ARP responses as trusted for a WLAN/range. This option is disabled by default. ip dhcp trust ip dhcp trust Configures the IP settings for DHCP packets Sets DHCP responses as trusted for a WLAN/range. This option is disabled by default. Example rfs6000-81742D(config-wlan-test)#ip dhcp trust rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Resets IP ARP or DHCP trust parameters to default. ARP trust is disabled, ARP mismatch verification is enabled, or DHCP trust is disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 493 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.26 ipv6 wlan-mode commands Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this WLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|nd]

ipv6 dhcpv6 trust ipv6 nd [header-mismatch-validation|raguard|trust]

Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Enables DHCPv6 trust state for DHCPv6 responses on this WLAN. When enabled, all DHCPv6 responses received on this WLAN are trusted and forwarded. This option is disabled by default. ipv6 nd [header-mismatch-validation|raguard|trust]

ipv6 nd header-mismatch-

validation raguard trust Example Sets the IPv6 ND settings for this WLAN Checks for mismatch of source MAC address in the ICMPv6 ND message and Ethernet header (link layer option). This option is enabled by default. Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this WLAN. This option is disabled by default. Enables trust state for ND requests received on this WLAN. When enabled, all ND requests on an IPv6 firewall, on this WLAN, are trusted. This option is disabled by default. rfs6000-81742D(config-wlan-test)#ipv6 dhcpv6 trust rfs6000-81742D(config-wlan-test)#ipv6 nd trust rfs6000-81742D(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none ipv6 dhcpv6 trust ipv6 nd trust rfs6000-81742D(config-wlan-test)#

Related Commands no Resets IPv6 ND or DHCPv6 trust parameters to default. ND request trust is disabled, ND header mismatch verification is enabled, ND RA and ICMPv6 redirection is disabled, or DHCPv6 trust is disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 494 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.27 kerberos wlan-mode commands Configures Kerberos authentication parameters on a WLAN Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax kerberos [password|realm|server]

kerberos password [0 <LINE>|2 <LINE>|<LINE>]

kerberos realm <REALM>

kerberos server [primary|secondary|timeout]

kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}

kerberos server timeout <1-60>

Parameters kerberos password [0 <LINE>|2 <LINE>|<LINE>]

kerberos password Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures a Kerberos KDC server password. The password should not exceed 127 characters. The password options are:

0 <LINE> Configures a clear text password 2 <LINE> Configures an encrypted password

<LINE> Specify the password. kerberos realm <REALM>

kerberos realm <REALM>

Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures a Kerberos KDC server realm. The REALM should not exceed 127 characters. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 495 GLOBAL CONFIGURATION COMMANDS kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}

kerberos server

[primary|secondary]

Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures the primary and secondary KDC server parameters primary Configures the primary KDC server parameters secondary Configures the secondary KDC server parameters host <IP/HOSTNAME> Sets the primary or secondary KDC server address port <1-65535>

<IP/HOSTNAME> Specify the IP address or name of the KDC server. Optional. Configures the UDP port used to connect to the KDC server

<1-65535> Specify the port from 1 - 65535. The default is 88. kerberos server timeout <1-60>

kerberos timeout <1-60>

Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Modifies the Kerberos KDC servers timeout parameters

<1-60> Specifies the wait time for a response from the Kerberos KDC server before retrying. Specify a value from 1 - 60 seconds. Example rfs6000-81742D(config-wlan-test)#kerberos server timeout 12 rfs6000-81742D(config-wlan-test)#kerberos server primary host 172.16.10.2 port 88 rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Removes Kerberos authentication related parameters on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 496 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.28 mac-authentication wlan-mode commands Enables MAC authentication. When enabled, the system uses cached credentials (RADIUS server lookups are skipped) to authenticate clients. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-authentication [cached-credentials|enforce-always]

Parameters mac-authentication [cached-credentials|enforce-always]

mac-authentication cached-credentials enforce-always Enables MAC authentication on this WLAN and configures related parameters Uses cached credentials to skip RADIUS lookups. This option is disabled by default. Enforces MAC authentication on this WLAN. When enabled, MAC authentication is enforced, each time a client logs in, even when the authentication type specified

(using the authentication-type command) is not MAC authentication. This option is disabled by default. Example rfs4000-229D58(config-wlan-test)#mac-authentication cached-credentials rfs4000-229D58(config-wlan-test)#

Related Commands no Disables MAC authentication related parameters: Disables use of cached credentials to skip RADIUS lookups, or disables enforcement of MAC authentication on this WLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 497 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.29 no wlan-mode commands Negates WLAN mode commands and reverts values to their default Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accounting|acl|answer-broadcast-probes|assoc-response|association-list|

authentication-type|broadcast-dhcp|broadcast-ssid|captive-portal-enforcement|

client-access|client-client-communication|client-load-balancing|

controller-assisted-mobility|data-rates|description|downstream-group-addressed-

forwarding|dpi|dynamic-vlan-assignment|eap-types|encryption-type|enforce-

dhcp|fast-bss-transition|http-analyze|ip|ipv6|kerberos|mac-authentication|

nsight|opendns|protected-mgmt-frames|proxy-arp-mode|proxy-nd-mode|qos-map|radio-

resource-measurement|radius|registration|relay-agent|shutdown|ssid|t5-client-

isolation|t5-security|time-based-access|use|vlan|vlan-pool-member|wep128|wep64|

wing-extensions|wireless-client|wpa-wpa2|service]

no accounting [radius|syslog|wait-client-ip]

no acl exceed-rate wireless-client-denied-traffic no [answer-broadcast-probes|association-list global|authentication-type|

broadcast-dhcp validate-offer|broadcast-ssid|captive-portal-enforcement|

client-access|client-client-communication|client-load-balancing allow-single-

band-clients|controller-assisted-mobility|data-rates [2.4GHz|5GHz]|description|

downstream-group-addressed-forwarding|dynamic-vlan-assignment allowed-vlans|

eap-types|encryption-type|enforce-dhcp|fast-bss-transition over-ds|

opendns device-id|protected-mgmt-frames {sa-query}|proxy-arp-mode|proxy-nd-mode|

qos-map|ssid|t5-client-isolation|t5-security|vlan]

no assoc-response [deny-threshold|rssi-threshold]

no http-analyze {filter|syslog}

no http-analyze {filter [images|post|query-string]}

no ip [arp|dhcp]

no ip arp [header-mismatch-validation|trust]

no ip dhcp trust no dpi metadata [http|ssl|voice-video]

no ipv6 [dhcpv6|nd]

no ipv6 dhcpv6 trust no ipv6 nd [header-mismatch-validation|raguard|trust]

no kerberos [password|realm|server]

no kerberos server [primary host|secondary host|timeout]

no mac-authentication [cached-credentials|enforce-always]

no nsight client-history no radio-resource-measurement {channel-report|neighbor-report {hybrid}}

no radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 498 GLOBAL CONFIGURATION COMMANDS no registration {external}

no relay-agent [dhcp-option82|dhcpv6-ldra]

no shutdown {on-critical-resource|on-meshpoint-loss|on-primary-port-link-loss|

on-unadoption}

no time-based-access days [all|friday|monday|saturday|sunday|thursday|tuesday|

wednesday|weekdays|weekends]

no use [aaa-policy|association-acl-policy|bonjour-gw-discovery-policy|captive-

portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|

roaming-assist-policy|url-filter|wlan-qos-policy]

no vlan-pool-member [<1-40 95>|<VLAN-ALIAS-NAME>]

no [wep128|wep64] [key {1-4}|transmit-key]

no wing-extension [move-command|smart-scan|wing-load-information|wmm-load-

information]

no wireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-

timeout|max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-

timeout|tx-power|vlan-cache-ageout]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this WLANs settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-81742D(config-wlan-test)#no ?

accounting Configure how accounting records are created for this wlan acl Actions taken based on ACL configuration [ packet drop being one of them]

answer-broadcast-probes Do not Include this wlan when responding to probe requests that do not specify an SSID assoc-response Association response threshold association-list Configure the association list for the wlan authentication-type Reset the authentication to use on this wlan to default (none/Pre-shared keys) broadcast-dhcp Configure broadcast DHCP packet handling broadcast-ssid Do not advertise the SSID of the WLAN in beacons captive-portal-enforcement Configure how captive-portal is enforced on the wlan client-access Disallow client access on this wlan

(no data operations) client-client-communication Disallow switching of frames from one wireless client to another on this wlan client-load-balancing Disable load-balancing of clients on this wlan controller-assisted-mobility Disable configure assisted mobility Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 499 GLOBAL CONFIGURATION COMMANDS data-rates Reset data rate configuration to default description Reset the description of the wlan downstream-group-addressed-forwarding Disable downstream group addressed forwarding of packets dpi Deep-Packet-Inspection (Application Assurance) dynamic-vlan-assignment Dynamic VLAN assignment configuration eap-types Allow all EAP types on this wlan encryption-type Reset the encryption to use on this wlan to default (none) enforce-dhcp Drop packets from Wireless Clients with static IP address fast-bss-transition Disable support for 802.11r Fast BSS Transition http-analyze Enable HTTP URL analysis on the wlan ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) kerberos Configure kerberos authentication parameters mac-authentication Configure mac-authentication related parameters nsight Nsight Server opendns OpenDNS related config for this wlan protected-mgmt-frames Disable support for Protected Management Frames (IEEE 802.11w) proxy-arp-mode Configure handling of ARP requests with proxy-arp is enabled proxy-nd-mode Configure handling of IPv6 ND requests with proxy-nd is enabled qos-map Disable the 802.11u QoS map element and frame radio-resource-measurement Disable support for 802.11k Radio Resource Measurement radius Configure RADIUS related parameters registration Dynamic registration of device (or) user relay-agent Configure dhcp relay agent info shutdown Enable the use of this wlan ssid Configure ssid t5-client-isolation Do not Isolate traffic among clients t5-security Configure encryption and authentication time-based-access Reset time-based-access parameters to default use Set setting to use vlan Map the default vlan (vlan-id 1) to the wlan vlan-pool-member Delete a mapped vlan from this wlan wep128 Reset WEP128 parameters wep64 Reset WEP64 parameters wing-extensions Disable support for WiNG-Specific extensions to 802.11 wireless-client Configure wireless-client specific parameters wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related parameters service Service to monitor to show no-service page to user rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 500 GLOBAL CONFIGURATION COMMANDS The test settings before execution of the no command:

rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#

rfs6000-81742D(config-wlan-test)#no accounting syslog rfs6000-81742D(config-wlan-test)#no description rfs6000-81742D(config-wlan-test)#no authentication-type rfs6000-81742D(config-wlan-test)#no encryption-type rfs6000-81742D(config-wlan-test)#no enforce-dhcp rfs6000-81742D(config-wlan-test)#no kerberos server primary host rfs6000-81742D(config-wlan-test)#no kerberos server timeout rfs6000-81742D(config-wlan-test)#no data-rates 2.4GHz rfs6000-81742D(config-wlan-test)#no ip dhcp trust rfs6000-81742D(config-wlan-test)#no captive-portal-enforcement The test settings after the execution of the no command:

rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 501 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.30 nsight wlan-mode commands Enables retention of client-history A typical NSight-server enabled, guest access environment may be visited by thousands of unique clients on a daily basis. Some of these guest clients are not regular visitors, accessing the network infrequently. However, by default, historical data of all guest clients, irrespective of their network access frequency, is retained by the NSight server for up to 180 days. This results in the database containing thousands if not millions of unique MAC addresses of infrequent guest clients. To address this potential problem it is recommended to disable client-history retention on a guest WLAN, and use the nsight-policy context to configure a separate timer (8 hours by default) specifying the guest client data lifespan in the database. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nsight client-history Parameters nsight client-history nsight client-history Enables retention of client-history in the database. This option is enabled by default. Example On a WLAN, the client-history option is enabled by default. When enabled, all client history (including guest-clients) is retained in the NSight server database for 180 days. To disable this option, execute the no > nsight > client-history command. When disabled, guest client history is retained only for 8 hours, which is the default setting defined by the NSight policy applied on the access point (through which the guest client accesses the WLAN) or the access points RF Domain. However, the default historical data retention duration for regular clients and devices (access point and controllers) remains unchanged (180 days) as per the NSight policy settings. nx9500-6C8809(config-wlan-test3)#no nsight client-history nx9500-6C8809(config-wlan-test3)#show context wlan test3 ssid test3 bridging-mode local encryption-type none authentication-type none no nsight client-history nx9500-6C8809(config-wlan-test3)#

Use the NSight policy context to define separate client-history retention time for regular clients, devices, and guest clients. For more information, see nsight-policy. Related Commands no Disables client-history retention in the NSight database Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 502 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.31 opendns wlan-mode commands Configures the pre-fetched OpenDNS device_id. Once configured, all DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. The device ID is a sixteen (16) character hex string representing a 64 bit unsigned integer and is fetched from the OpenDNS site. This command is part of a series of configurations that are required to integrate WiNG access points, wireless controllers, and service platforms with OpenDNS. When all the parameters have been configured, DNS queries from wireless clients, associating with the WLAN, are redirected to OpenDNS (208.67.220.220 OR 208.67.222.222). These OpenDNS resolvers act as proxy DNS servers that provide additional functionalities, such as Web filtering, reporting, and performance enhancement. For more information on the entire configuration, see opendns. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns device-id <DEVICE-ID>

Parameters opendns device-id <DEVICE-ID>

opendns device-id

<DEVICE-ID>

Configures the device ID to embed in DNS queries sent to OpenDNS

<DEVICE-ID> Specify the device ID. Example The following command fetches the device_id from the OpenDNS site. ap7131-E6D512#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 0014AADF8EDC6C59 ap7131-E6D512#

Use this device_id in the WLAN configuration context. ap7131-E6D512(config)#wlan opendns ap7131-E6D512(config-wlan-opendns)#opendns device-id 0014AADF8EDC6C59 ap7131-E6D512(config-wlan-opendns)#commit ap7131-E6D512(config-wlan-opendns)#show context wlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none opendns device-id 0014AADF8EDC6C59 ap7131-E6D512(config-wlan-opendns)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 503 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes the device ID configured to be embedded in the DNS queries originating from the WiNG devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 504 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.32 protected-mgmt-frames wlan-mode commands Configures the WLAN's frame protection mode and security association (SA) query parameters 802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The robust management frames are action, disassociation, and deauthentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. Protected management frames (PMF) protocol only applies to robust management frames after establishment of RSNA PTK. Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol (BIP) for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-

1000>]]

Parameters protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout

<100-1000>]]

protected-mgmt-

frames mandatory optional sa-query

[attempts <1-10>|

timeout <100-1000>]

Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frames are continually or optionally protected. Frame protection mode is disabled by default. Enforces protected management frames (PMF) on this WLAN (management frames are continually optionally protected) Provides PMF only for those clients that support PMF (management frames are optionally protected) Configures the following SA parameters:

attempts <1-10> Configures the number of SA query attempts from 1 - 10. The default is 5. timeout <100-1000> Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 505 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#protected-mgmt-frames mandatory rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none protected-mgmt-frames mandatory rfs6000-81742D(config-wlan-test)#

Related Commands no Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 506 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.33 proxy-arp-mode wlan-mode commands Enables proxy ARP mode for handling ARP requests Proxy ARP is the technique used to answer ARP requests intended for another system. By faking its identity, the access point accepts responsibility for routing packets to the actual destination. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-arp-mode [dynamic|strict]

Parameters proxy-arp-mode [dynamic|strict]

proxy-arp-mode dynamic strict Example Enables proxy ARP mode for handling ARP requests. The options available are dynamic and strict. Forwards ARP requests to the wireless side (for which a response could not be proxied). This is the default setting. Does not forward ARP requests to the wireless side rfs6000-81742D(config-wlan-test)#proxy-arp-mode strict rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Reverts the proxy ARP mode to default (dynamic) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 507 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.34 proxy-nd-mode wlan-mode commands Configures the proxy ND mode for this WLAN member clients as either strict or dynamic ND proxy is used in IPv6 to provide reachability by allowing a client to act as proxy. Proxy certificate signing can be done either dynamically (requiring exchanges of identity and authorization information) or statically when the network topology is defined. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-nd-mode [dynamic|strict]

Parameters proxy-nd-mode [dynamic|strict]

proxy-nd-mode

[dynamic|strict]

Configures the proxy ND mode for this WLAN member clients. The options are:

dynamic and strict dynamic Forwards ND request to wireless for which a response could not be proxied. This is the default value. strict Does not forward ND requests to the wireless side Example rfs6000-81742D(config-wlan-test)#proxy-nd-mode strict rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66 rfs6000-81742D(config-wlan-test)#

Related Commands no Reverts the proxy ND mode to default (dynamic) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 508 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.35 qos-map wlan-mode commands Enables support for 802.11u QoS map element and frames Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos-map Parameters None Example rfs6000-81742D(config-wlan-test)#qos-map rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none qos-map wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66 rfs6000-81742D(config-wlan-test)#

Related Commands no Disables support for 802.11u QoS map element and frames Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 509 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.36 radio-resource-measurement wlan-mode commands Enables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN 802.11k improves how traffic is distributed. In a WLAN, devices normally connect to the access point with the strongest signal. Depending on the number and location of clients, this arrangement can lead to excessive demand on one access point and under utilization of others, resulting in degradation of overall network performance. With 802.11k, if the access point with the strongest signal is loaded to its capacity, a client connects to an under-utilized access point. Even if the signal is weaker, the overall throughput is greater since it's an efficient use of the network's resources. This feature is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radio-resource-measurement {channel-report|neighbor-report {hybrid}}

Parameters radio-resource-measurement {channel-report|neighbor-report {hybrid}}

radio-resource-

measurement channel-report neighbor-report

{hybrid}

Enables support for 802.11k radio resource measurement capabilities Optional. Includes the channel-report element in beacons and probe responses Optional. Enables responding to neighbor-report requests hybrid Optional. Uses the hybrid model of smart-rf neighbors and roaming frequency to neighbors Example rfs4000-229D58(config-wlan-test)#radio-resource-measurement rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none radio-resource-measurement controller-assisted-mobility rfs4000-229D58(config-wlan-test)#

Related Commands no Disables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 510 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.37 radius wlan-mode commands Configures RADIUS related parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]

radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|

vlan-assignment]

Parameters radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-

ID>|vlan-assignment]

dynamic-authorization Enables support for disconnect and change of authorization messages (RFC5176) nas-identifier

<NAS-ID>

When enabled, this option extends the RADIUS protocol to support unsolicited messages from the RADIUS server. These messages allow administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages (DM) that terminate a session immediately. This option is disabled by default. Configures the network access server (NAS) identifier attribute, a value that identifies the access point or controller where the RADIUS messages originate. The value specified here is included in the RADIUS NAS-Identifier field for WLAN authentication and accounting packets.

<NAS-ID> Specify the NAS identifier attribute (should not exceed 256 characters in length). nas-port-id

<NAS-PORT-ID>

Configures the NAS port ID attribute, a value that identifies the port from where the RADIUS messages originate

<NAS-PORT-ID> Specify the NAS port ID attribute (should not exceed 256 characters in length). The profile database on the RADIUS server consists of user profiles for each connected NAS port. Each profile is matched to a username representing a physical port. When authorizing users, it queries the user profile database using a username representative of the physical NAS port making the connection. Set the numeric port value from 0 - 4294967295. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 511 GLOBAL CONFIGURATION COMMANDS vlan-assignment Configures the VLAN assignment of a WLAN. RADIUS VLAN assignment is disabled by default. When enabled, this option assigns clients to the RADIUS server specified VLANs, overriding the WLAN configuration. This option is disabled by default. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on that VLAN. If disabled, the RADIUS server returned VLAN-ID is ignored and the VLAN specified using the vlan/vlan-pool-member options (in the WLAN config mode) is used. If both the RADIUS VLAN assignment and the post authentication VLAN options are enabled, then RADIUS VLAN assignment takes priority over post authentication VLAN configuration. Example rfs6000-81742D(config-wlan-test)#radius vlan-assignment rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2

--More--

rfs6000-81742D(config-wlan-test)#

Related Commands no Disables support for disconnect and change of authorization messages. Disables the use of VLAN information received in RADIUS server responses, instead uses the VLAN provided in the WLAN configuration. Removes the NAS identifier and NAS port identifiers configured. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 512 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.38 registration wlan-mode commands Configures settings enabling dynamic registration and validation of devices by their MAC addresses. When configured, this option registers a devices MAC address, and allows direct access to a previously registered device. This command also configures the external guest registration and validation server details. If using an external server to perform guest registration, authentication and accounting, use this command to configure the external servers IP address/hostname. When configured, access points and controllers forward guest registration requests to the specified registration server. In case of EGuest deployment, this external resource should point to the EGuest registration server. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax registration [device|device-OTP|external|user]

registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-

refresh <0-144000>|expiry-time <1-43800>}

registration external [follow-aaa|host]

registration external follow-aaa {send-mode [http|https|udp]}

registration external host <IP/HOSTNAME> {proxy-mode|send-mode}

registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|

through-rf-domain-manager|through-centralized-controller]|send-mode [https|

https|udp]}

Parameters registration external follow-aaa {send-mode [http|https|udp]}

registration external follow-aaa Enables dynamic guest-user registration and validation. This option is disabled by default. Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server. Uses an AAA policy to point to the guest registration, authentication, and accounting server. When used, guest registration is handled by the RADIUS server specified in the AAA policy used in the WLAN context. In case of EGuest deployment, the RADIUS authentication and accounting server configuration in the AAA policy should point to the EGuest server. The use of follow-

aaa option is recommended in EGuest replica-set deployments. For more information on enabling the EGuest server, see eguest-server (VX9000 only). For more information on configuring an EGuest deployment, see configuring ExtremeGuest captive-portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 513 GLOBAL CONFIGURATION COMMANDS send-mode

[https|https|udp]

Optional. Specifies the protocol used to forward registration requests to the external AAA policy servers. The options are;

HTTPS Sends registration requests as HTTPS packet HTTP Sends registration requests as HTTP packet UDP Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting. registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|

through-rf-domain-manager|through-centralized-controller]|send-mode [https|

https|udp]}

registration external host

<IP/HOSTNAME>

proxy-mode

{none|

through-controller|

through-rf-domain-

manager|through-

centralized-controller}

send-mode

[https|https|udp]

Configures dynamic guest registration and validation parameters. This option is disabled by default. Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server. Specifies the external registration servers IP address or hostname. When configured, access points/ controllers forward guest registration requests to the external registration server specified here. Optional. Specifies the proxy mode. If a proxy is needed for connection, specify the proxy mode as through-controller, through-rf-domain. If no proxy is needed, select none. none Optional. Requests are sent directly to the controller from the requesting device through-controller Optional. Requests are proxied through the controller configuring the device through-rf-domain-manager Optional. Requests are proxied through the local RF Domain manager through-centralized-controller Optional. Request are proxied through one of the controllers in a cluster.that is operating as the designated forwarder. Select this option if capture and redirection is on a cluster of wireless controller/service platforms managing dependent/independent access points when redundancy is required. After specifying the proxy-mode, optionally specify the protocol used to send the requests to the external registration server host. Optional. Specifies the communication protocol used. The options are;

HTTPS Sends registration requests as HTTPS packets HTTP Sends registration requests as HTTP packets UDP Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting. registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-

refresh <0-144000>|expiry-time <1-43800>}

registration Configures dynamic guest registration and validation parameters. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 514

[device|device-OTP|

user]

group-name

<RAD-GROUP-NAME>

expiry-time

<1-43800>

agreement-refresh

<0-144000>

GLOBAL CONFIGURATION COMMANDS Configures the mode used to register guest users of this WLAN. Options include device, external, user, and device-OTP device-OTP Registers a device by its MAC address. During registration, the user, using the registered device, has to provide the e-mail address, mobile number, or member id, and the one-time-passcode (OTP) sent to the registered e-mail id or mobile number to complete registration. On subsequent logins, the user has to enter the OTP. If the MAC address of the device attempting login and the OTP combination matches, the user is allowed access. If using this option, set the WLAN authentication type as MAC authentication. device Registers a device by its MAC address. On subsequent logins, already registered MAC addresses are allowed access. If using this option, set the WLAN authentication type as MAC authentication. user Registers guest users using one of the following options: e-mail address, mobile-number, or member-id. If using any one of the above modes of registration, specify the RADIUS group to which the registered device or user is to be assigned post authentication. Configures the RADIUS group name to which registered users are associated. When left blank, users are not associated with a RADIUS group.

<RAD-GROUP-NAME> Specify the RADIUS group name (should not exceed 64 characters). Optional. Configures the amount of time, in hours, before registered addresses expire and must be re-entered

<1-43800> Specify a value from 1 - 43800 hrs. The default is 1500 hrs. Optional. Sets the time, in minutes, after which an inactive user has to refresh the WLANs terms of agreement. For example, if the agreement refresh period is set to 1440 minutes, a user, who has been inactive for more than 1440 minutes (1 day) is served the agreement page, and is allowed access only after refreshing the terms of agreement.

<0-100> Specify a value from 0 - 144000. The default is 0 minutes. Example nx9500-6C8809(config-wlan-test)#registration user group-name guest agreement-ref resh 14400 expiry-time 2000 nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none registration user group-name guest expiry-time 2000 agreement-refresh 14400 nx9500-6C8809(config-wlan-test)#

Related Commands no Disables dynamic user registration and removes associated configurations. ALso disables forwarding of user information to an external device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 515 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.39 relay-agent wlan-mode commands Enables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-LDRA) feature on this WLAN. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax relay-agent [dhcp-option82|dhcpv6-ldra]

Parameters relay-agent [dhcp-option82|dhcpv6-ldra]

relay-agent dhcp-option82 dhcpv6-ldra Enables support for the following DHCP and DHCPv6 options: option 82 and Lightweight DHCPv6 Relay Agent (LDRA) respectively. When enabled, this feature allows the DHCP/DHCPv6 relay agent to insert the relay agent information option

(option 82, LDRA) in client requests forwarded to the DHCP/DHCPv6 server. This information provides the following:

circuit ID suboption Provides the SNMP port interface index remote ID Provides the controllers MAC address Enables DHCP option 82. DHCP option 82 provides client physical attachment information. This option is disabled by default. Enables the DHCPv6 relay agent. The LDRA feature allows DHCPv6 messages to be transmitted on existing networks that do not currently support IPv6 or DHCPv6. This option is disabled by default. Example rfs4000-229D58(config-wlan-test)#relay-agent dhcp-option82 rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none radio-resource-measurement relay-agent dhcp-option82 controller-assisted-mobility rfs4000-229D58(config-wlan-test)#

rfs6000-81701D(config-wlan-test)#relay-agent dhcpv6-ldra rfs6000-81701D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none relay-agent dhcpv6-ldra rfs6000-81701D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 516 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-

LDRA) feature on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 517 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.40 shutdown wlan-mode commands Auto shuts down a WLAN The auto shutdown mechanism helps regulate the availability of a WLAN based on an administrator defined access period. Use this feature to shut down a WLAN on specific days and hours and restrict periods when the WLAN traffic is either not desired or cannot be properly administrated. The normal practice is to shut down WLANs when there are no users on the network, such as after hours, weekends or holidays. This allows administrators more time to manage mission critical tasks since the WLAN's availability is automated. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-

loss|on-unadoption}

Parameters shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-

link-loss|on-unadoption}

shutdown on-critical-resource

<CR-NAME>

Auto shuts down the WLAN when specified events occur. Disabled by default. Optional. Auto shuts down the WLAN when critical resource failure occurs. Disabled by default.

<CR-NAME> Specifies the name of the critical resource being monitored for this WLAN. on-meshpoint-loss on-primary-port-link-

loss on-unadoption Optional. Auto shuts down the WLAN when the root meshpoint link fails (is unreachable). Disabled by default. Optional. Auto shuts down the WLAN when a device losses its primary Ethernet port (ge1/up1) link. Disabled by default. Optional. Auto shuts down the WLAN when an adopted device becomes unadopted. Disabled by default. Usage Guidelines If the shutdown on-meshpoint-loss feature is enabled, the WLAN status changes only if the meshpoint and the WLAN are mapped to the same VLAN. If the meshpoint is mapped to VLAN 1 and the WLAN is mapped to VLAN 2, then the WLAN status does not change on loss of the meshpoint. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 518 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#shutdown on-unadoption rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Disables auto shut down WLAN. Use the optional keywords provided to disable auto shut down of the WLAN upon critical resource failure, when meshpoint links fail, when the primary Ethernet port (e1/up1) loses link, or when the WLAN gets unadopted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 519 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.41 ssid wlan-mode commands Configures a WLANs SSID Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssid <SSID>

Parameters ssid <SSID>

<SSID>

Example Specify the WLANs SSID. The WLAN SSID is case sensitive and alphanumeric. Its length should not exceed 32 characters. rfs6000-81742D(config-wlan-test)#ssid testWLAN1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Removes the WLANs SSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 520 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.42 t5-client-isolation wlan-mode commands Disallows clients connecting to the WLAN to communicate with one another. This setting applies exclusively to CPE devices managed by aT5 controller and is disabled by default. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. NOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5-client-isolation Parameters None Example nx9500-6C8809(config-wlan-test)#t5-client-isolation nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none t5-client-isolation nx9500-6C8809(config-wlan-test)#

Related Commands no Allows clients connecting to the WLAN to communicate with one another Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 521 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.43 t5-security wlan-mode commands Configures T5 PowerBroadband security settings A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. NOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5-security [static-wep|wpa-enterprise|wpa-personal]

t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase

<STRING>]

t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp]

version [mixed|wpa|wpa2]

Parameters t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase

<STRING>]

t5-security static-wep Configures the T5 WLAN security type as static-wep encryption-type

[wep128|wep64]

hex <STRING>

Applies one of the following encryption algorithms to the T5 support WLAN configuration: WEP64 or WEP128 Configures the hex password (used to derive the security key)

<STRING> Specify the hex password (should not exceed the 10 - 26 characters). passphrase <STRING> Configures the passphrase shared by both transmitting and receiving authenticators

<STRING> Specify the passphrase. It could either be an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters. The alphanumeric string allows character spaces. This string is converted to a numeric value. Configuring a passphrase saves you the need to create a 256-bit key each time keys are generated. t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp]

version [mixed|wpa|wpa2]

t5-security

[wpa-enterprise|

wpa-personal]

Configures the T5 WLAN security type as: wpa-enterprise OR wpa-personal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 522 GLOBAL CONFIGURATION COMMANDS encryption-type

[ccmp|tkip|tkip-ccmp]

version

[mixed|wpa|wpa2]

The following parameters are common to the wpa-enterprise and wpa-personal keywords:

Applies one of the following encryption algorithms to the T5 support WLAN configuration: CCMP, TKIP, or TKIP-CCMP The following parameters are common to the wpa-enterprise and wpa-personal keywords:

version Applies one of the following encryption schemes to the T5 support WLAN configuration: WPA, WPA2, or mixed Example nx9500-6C8809(config-wlan-test)#t5-security wpa-enterprise encryption-type ccmp version wpa nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none t5-security wpa-enterprise encryption-type ccmp version wpa t5-client-isolation nx9500-6C8809(config-wlan-test)#

Related Commands no Removes the configured T5 PowerBroadband security settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 523 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.44 time-based-access wlan-mode commands Configures time-based client access to the network resources Administrators can use this feature to assign fixed days and time of WLAN access for wireless clients Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|

saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]

Parameters time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|

saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]

day <option>

start <START-TIME>

end <END-TIME>

Specifies the day or days on which the client can access the WLAN sunday Allows access on Sundays only monday Allows access on Mondays only tuesday Allows access on Tuesdays only wednesday Allows access on Wednesdays only thursday Allows access on Thursdays only friday Allows access on Fridays only saturday Allows access on Saturdays only weekends Allows access on weekends only weekdays Allows access on weekdays only all Allows access on all days Optional. Specifies the access start time in hours and minutes (HH:MM) Specifies the access end time in hours and minutes (HH:MM) Example rfs6000-81742D(config-wlan-test)#time-based-access days weekdays start 10:00 end 16:30 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30

--More--

rfs6000-81742D(config-wlan-test)#

Related Commands no Removes the configured time-based-access settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 524 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.45 use wlan-mode commands This command associates an existing captive portal with a WLAN. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [aaa-policy|application-policy|association-acl-policy|bonjour-gw-discovery-

policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-

policy|roaming-assist-policy|url-filter|wlan-qos-policy]

use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|association-

acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-

NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-

NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|wlan-qos-

policy <WLAN-QOS-POLICY-NAME>]

use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>

use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>

use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>

Parameters use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|

association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy

<POLICY-NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-

POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|

wlan-qos-policy <WLAN-QoS-POLICY-NAME>]

aaa-policy

<AAA-POLICY-NAME>

application-policy

<POLICY-NAME>

association-acl

<ASSOCIATION-

POLICY-NAME>

bonjour-gw-

discovery-policy

<POLICY-NAME>

Uses an existing AAA policy with a WLAN

<AAA-POLICY-NAME> Specify the AAA policy name. Uses an existing application policy with a WLAN. An application policy defines actions to perform on a packet when it matches a specified set of pre-defined applications or application categories. For more information, see application-policy.

<POLICY-NAME> Specify the policy name. Uses an existing association ACL policy with a WLAN

<ASSOCIATION-POLICY-NAME> Specify the association ACL policy name. Uses an existing Bonjour GW Discovery policy with a WLAN. When associated, the Bonjour GW Discovery policy defines a list of services clients can discover across subnets. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 525 GLOBAL CONFIGURATION COMMANDS Bonjour enables discovery of services on a LAN. Bonjour allows the setting up a network (without any configuration) in which services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.

<POLICY-NAME> Specify the Bonjour GW Discovery policy name (should be existing and configured). For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-

policy. Specifies the captive-portal policy to use if enforcing captive-portal authentication on this WLAN

<CAPTIVE-PORTAL-NAME> Specify the captive-portal policy name. Should be existing and configured. Associates a passpoint policy (Hotspot2 configuration) with this WLAN

<PASSPOINT-POLICY-NAME> Specify the Hotspot 2.0 policy name. For more information on passpoint policy, see passpoint-policy. Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests from clients are identified by their destination MAC addresses and are handled by the passpoint policy from the primary WLAN on that BSS. Define one passpoint policy for every WLAN configured. Associates an existing roaming assist policy with this WLAN

<POLICY-NAME> Specify the Roaming Assist policy name. For more information on roaming assist policy, see roaming-assist-policy. Associates an existing URL list with this WLAN

<URL-FILTER-NAME> Specify the URL filter name. For more information on configuring a URL list, see url-list. Uses an existing WLAN QoS policy with a WLAN

<wlan-qos-policy-name> Specify the WLAN QoS policy name. captive-portal

<CAPTIVE-PORTAL-

NAME>

passpoint-policy

<PASSPOINT-POLICY-

NAME>

roaming-assist-policy

<POLICY-NAME>

url-filter

<URL-FILTER-NAME>

wlan-qos-policy

<WLAN-QOS-POLICY-

NAME>

use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>

ip-access-list [in|out]

<IP-ACCESS-LIST-

NAME>

Specifies the IP access list for incoming and outgoing packets in Applies the IP ACL to incoming packets out Applies IP ACL to outgoing packets

<IP-ACCESS-LIST-NAME> Specify the IP access list name. use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>

ipv6-access-list

[in|out] <IPv6-

ACCESS-LIST-NAME>

Specifies the IPv6 access list for incoming and outgoing packets in Applies the IPv6 ACL to incoming packets out Applies IPv6 ACL to outgoing packets

<IPv6-ACCESS-LIST-NAME> Specify the IPv6 access list name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 526 GLOBAL CONFIGURATION COMMANDS use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>

mac-access-list

[in|out] <MAC-

ACCESS-LIST-NAME>

Specifies the MAC access list for incoming and outgoing packets. in Applies the MAC ACL to incoming packets out Applies MAC ACL to outgoing packets

<MAC-ACCESS-LIST-NAME> Specify the MAC access list name. Usage Guidelines IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a packet matches an ACEs conditions, it is either forwarded, dropped, or marked depending on the action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after the first match. IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to WLAN packet traffic. Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. Example rfs6000-81742D(config-wlan-test)#use aaa-policy test rfs6000-81742D(config-wlan-test)#use association-acl-policy test rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 527 GLOBAL CONFIGURATION COMMANDS rfs6000-81742D(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy generic rfs6000-81742D(config-wlan-ipad_clients)#show context wlan ipad_clients ssid ipad_clients vlan 41 bridging-mode local encryption-type none authentication-type none use bonjour-gw-discovery-policy generic rfs6000-81742D(config-wlan-ipad_clients)#

Related Commands no Removes the following policies associated with a WLAN: aaa-policy, application-policy, association-acl-policy, bonjour-gw-discovery-policy, captive-portal, ip-access-list, ipv6-access-list, mac-access-list, passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 528 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.46 vlan wlan-mode commands Sets the VLAN where traffic from a WLAN is mapped Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Parameters vlan [<1-4094>|<VLAN-ALIAS-NAME>]

<1-4094>

Sets a WLANs VLAN ID. This command starts a new VLAN assignment for a WLAN index. All prior VLAN settings are erased. Use this command to assign just one VLAN to the WLAN. Utilizing a single VLAN per WLAN is a more typical deployment scenario than using a VLAN pool.

<VLAN-ALIAS-NAME> Assigns a VLAN alias to the WLAN. The VLAN alias should to existing and configured. A VLAN alias maps a name to a VLAN ID. When applied to ports (for example GE ports) using the trunk mode, a VLAN alias denies or permits traffic, on the port, to and from the VLANs specified in the alias. For more information on aliases, see alias. Example rfs6000-81742D(config-wlan-test)#vlan 4 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan 4 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#

Related Commands no Removes a WLANs default VLAN mapping Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 529 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.47 vlan-pool-member wlan-mode commands Adds a member VLAN to a WLANs VLAN pool. Use this option to define the VLANs available to this WLAN. Additionally, define the number of wireless clients supported by each VLAN. NOTE: Configuration of a VLAN pool overrides the 'vlan' configuration. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vlan-pool-member <WORD> {limit <0-8192>}

Parameters vlan-pool-member <WORD> {limit <0-8192>}

vlan-pool-member

<WORD>

limit <0-8192>

Adds a member VLAN to a WLANs VLAN pool Since users belonging to separate VLANs can share the same WLAN, it is not necessary to create a new WLAN for every VLAN in the network. Define the VLANs available to this WLAN. It is either a single index, or a list of VLAN IDs (for example, 1,3,7), or a range (for example, 1-10) Optional. Is ignored if the number of clients are limited and well within the limits of the DHCP pool on the VLAN

<0-8192> Specifies the number of users allowed Example rfs6000-81742D(config-wlan-test)#vlan-pool-member 1-10 limit 1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30

--More--

rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 530 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes the list of VLANs mapped to a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 531 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.48 wep128 wlan-mode commands Configures WEP128 parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wep128 [key|keys-from-passkey|transmit-key]

wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep128 keys-from-passkey <WORD>

wep128 transmit-key <1-4>

Parameters wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep128 key <1-4>

ascii

[0 <WORD>|

2 <WORD>||

<WORD>]

hex

[0 <WORD>|

2 <WORD>|

<WORD>]

Configures WEP128 parameters. The parameters are: key, key-from-passkey, and transmit-key. Configures pre-shared hex keys

<1-4> Configures a maximum of four key indexes. Select the key index from 1 - 4. Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal characters Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal characters wep128 keys-from-passkey <WORD>

keys-from-passkey

<WORD>

Specifies a passphrase from which keys are derived

<WORD> Specify a passphrase from 4 - 32 characters. wep128 transmit-key <1-4>

transmit-key <1-4>

Configures the key index used for transmission from an AP to a wireless client or service platform

<1-4> Specify a key index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 532 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wep128 keys-from-passkey example@123 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30

--More--

rfs6000-81742D(config-wlan-test)#

Related Commands no Resets the WEP128 PSK and transmission keys to factory-default values. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 533 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.49 wep64 wlan-mode commands Configures WEP64 parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wep64 [key|keys-from-passkey|transmit-key]

wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep64 keys-from-passkey <WORD>

wep64 transmit-key <1-4>

Parameters wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]

wep64 key <1-4>

ascii

[0 <WORD>|

2 <WORD>|

<WORD>]

hex

[0 <WORD>|

2 <WORD>|

<WORD>]

Configures WEP64 parameters The parameters are: key, key-from-passkey, and transmit-key. Configures pre-shared hex keys

<1-4> Configures a maximum of four key indexes. Select a key index from 1 - 4. Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Configures key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128). Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Configures the key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128) wep64 keys-from-passkey <WORD>

keys-from-passkey

<WORD>

Specifies a passphrase from which keys are derived

<WORD> Specify a passphrase from 4 - 32 characters. wep64 transmit-key <1-4>

transmit-key <1-4>

Configures the key index used for transmission from an AP to a wireless client or service platform

<1-4> Specify a key index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 534 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wep64 key 1 ascii test1 rfs6000-81742D(config-wlan-test)#wep64 transmit-key 1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep64 key 1 hex 0 7465737431 radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test

--More--

rfs6000-81742D(config-wlan-test)#

Related Commands no Resets the WEP64 PSK and transmission keys to factory-default values Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 535 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.50 wing-extensions wlan-mode commands Enables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards that potentially increase client roaming reliability and handshake speed Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wing-extensions [ap-attributes-information {include-hostname}|

coverage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60}|

ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|

smart-scan|wing-load-information|wmm-load-information]

Parameters wing-extensions [ap-attributes-information {include-hostname}|

coverage-hole-detection {11k-clients|offset <5-20>|offset <5-20>|threshold <-80--

60}|ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|

smart-scan|wing-load-information|wmm-load-information]

wing-extensions ap-attributes-

information

{include-hostname}

Enables support for inclusion of WiNG-specific client extensions in radio transmissions Enables support for AP attributes information element (IE) include-hostname Optional. When enabled, includes APs hostname, as a sub-

element, in the AP attributes IE. overage-hole-

detection

{11k-clients|

offset <5-20>|

threshold <-80--60>}

The AP attributes IE is vendor-specific and, when enabled, is added to beacons and probe responses. Inclusion of AP attributes IE allows Extreme Networks terminals to:

- Recognize Extreme APs

- Determine if the AP supports PAN BU features, irrespective of whether these features are enabled or not. AP attributes IE is not added to beacons and probe responses by default. Enables coverage hole detection (CHD) and configures CHD parameters. When enabled, allows clients (MUs) to inform an access point when it experiences a coverage hole. A coverage hole is an area of poor wireless coverage not supported by a WiNG managed access point radio. Enable radio resource measurement prior to enabling CHD. For enabling radio resource measurement, see radio-resource-

measurement. CHD is disabled by default. After enabling CHD, optionally configure the following parameters:

11k-clients Optional. Provides coverage hole detection to 802.11k-only-capable clients. This is a reduced set of coverage hole detection capabilities (standard 11k messages and behaviors). This option is disabled by default. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 536 GLOBAL CONFIGURATION COMMANDS offset <5-20> Optional. Configures the offset added to the threshold to obtain the access points signal strength (as seen by the client) considered adequate.

<5-20> Specify the offset value from 5 - 20. The default is 5. threshold Optional. Configures the access points signal strength threshold. When Radio Resource Measurement and CVG Hole are enabled, specify a threshold for the APs signal strength (as seen by the client) below which a coverage hole incident is reported by the client.

<-80--60> Specify the threshold from -80 - -60 dBm. The default is -70 dBm. Enables fast-transition (FT) aggregation of action frames. When enabled, increases roaming speed by eliminating separate key exchange handshake frames with potential roam candidates. Enable fast transition to complete an initial FT over distribution system (DS) handshake with multiple roam candidates (up to 6) at once, eliminating the need to send separate FT over DS handshakes to each roam candidate. This option is disabled by default. Enables use of Hyper Fast Secure Roaming (HFSR) for clients on this WLAN. This feature applies only to certain client devices. This option is disabled by default. Enables support for scanning assist. When enabled, allows faster roams on Dynamic Frequency Selection (DFS) channels by eliminating passive scans. Clients get channel information directly from possible roam candidates. This option is disabled by default. channel-info-interval <6-9> Optional. Configures the interval at which channel information is periodically retrieved from potential roam candidates without requesting scan assist.

<6-9> Specify the interval from 6 - 9 seconds. When enabled, the default value is 8 seconds. ft-over-ds-aggregate move-command scan-assist

{channel-info-interval

<6-9>}

smart-scan Enables a smart scan to refine a clients channel scans to just a few channels as opposed to all available channels. This option is disabled by default. wing-load-information Enables support for the WiNG load information element (Element ID 173) with legacy Symbol Technology clients, thus making them optimally interoperable with the latest Extreme Networks access points. This option is enabled by default. Enables support for WiNG Wi-Fi MultiMedia (WMM) Load Information Element in radio transmissions with legacy clients. This option is disabled by default. wmm-load-

information Example rfs6000-81742D(config-wlan-test)#wing-extensions wmm-load-information rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5

--More--

rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 537 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards. Use the keywords provided to disable a specific wing-extension. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 538 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.51 wireless-client wlan-mode commands Configures the transmit power indicated to clients Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-timeout|

max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-timeout|

tx-power|vlan-cache-ageout]

wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time

<1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|

reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|

vlan-cache-ageout <60-86400>]

wireless-client roam-notification [after-association|after-data-ready|auto]

Parameters wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time

<1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|

reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|

vlan-cache-out <60-86400>]

wireless-client count-per-radio

<0-256>

cred-cache-ageout

<60-86400>

Configures the transmit power indicated to wireless clients for transmission Configures the maximum number of clients allowed on this WLAN per radio

<0-256> Specify a value from 0 - 256. Configures the timeout period for which client credentials are cached across associations

<60-86400> Specify a value from 60 - 86400 seconds. hold-time <1-86400> Configures the time period for which wireless client state information is cached post inactivity-timeout

<60-86400>

max-firewall-sessions

<10-10000>

reauthentication

<30-86400>

t5-inactivity-timeout

<60-86400>

roaming

<1-86400> Specify a value from 1 - 86400 seconds. Configures an inactivity timeout period in seconds. If a frame is not received from a wireless client for this period of time, the client is disassociated.

<60-86400> Specify a value from 60 - 86400 seconds. Configures the maximum firewall sessions allowed per client on a WLAN

<10-10000> Specify the maximum number of firewall sessions allowed from 10 - 10000. Configures periodic reauthentication of associated clients

<30-86400> Specify the client reauthentication interval from 30 - 86400 seconds. Configures and inactivity timeout, in seconds, for T5 devices. When configured, the T5 device is disassociated if the time lapsed after the last frame received from it exceeds the value specified here.

<60-86400> Specify a value from 60 - 86400 seconds. The default is 60 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 539 GLOBAL CONFIGURATION COMMANDS tx-power <0-20>

vlan-cache-ageout

<60-86400>

Configures the transmit power indicated to clients

<0-20> Specify a value from 0 - 20 dBm. Configures the timeout period for which client VLAN information is cached across associations.

<60-86400> Specify a value from 60 - 86400 seconds. wireless-client roam-notification [after-association|after-data-ready|auto]

wireless-client roam-notification after-association after-data-ready auto Example Configures the transmit power indicated to wireless clients for transmission Configures when a roam notification is transmitted Transmits a roam notification after a client has associated Transmits a roam notification after a client is data-ready (after completion of authentication, handshakes, etc.) Transmits a roam notification upon client association (if the client is known to have authenticated to the network) rfs6000-81742D(config-wlan-test)#wireless-client cred-cache-ageout 65 rfs6000-81742D(config-wlan-test)#wireless-client hold-time 200 rfs6000-81742D(config-wlan-test)#wireless-client max-firewall-sessions 100 rfs6000-81742D(config-wlan-test)#wireless-client reauthentication 35 rfs6000-81742D(config-wlan-test)#wireless-client tx-power 12 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information wireless-client tx-power 12 client-load-balancing probe-req-intvl 5ghz 5

--More--

rfs6000-81742D(config-wlan-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 540 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes or reverts to default configured wireless client related parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 541 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.52 wpa-wpa2 wlan-mode commands Modifies TKIP-CCMP (WPA/WPA2) related parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wpa-wpa2 [exclude-wpa2-tkip|handshake|key-rotation|opp-pmk-caching|pmk-caching|

preauthentication|server-only-authentication|psk|tkip-countermeasures|

use-sha256-akm]

wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|

server-only-authentication|use-sha256-akm]

wpa-wpa2 handshake [attempts|init-wait|priority|timeout]

wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|

timeout <10-5000> {10-5000}]

wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>

wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]

wpa-wpa2 tkip-countermeasures holdtime <0-65535>

Parameters wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|

server-only-authentication|use-sha256-akm]

wpa-wpa2 exclude-wpa2-tkip opp-pmk-caching pmk-caching preauthentication server-only-

authentication use-sha256-akm Modifies TKIP-CCMP (WPA/WPA2) related parameters Excludes the Wi-Fi Protected Access II (WPA2) version of TKIP. It supports the WPA version of TKIP only. This option is disabled by default. Uses opportunistic key caching (same Pairwise Master Key (PMK) across APs for fast roaming with EAP.802.1x. This option is enabled by default. Uses cached pair-wise master keys (fast roaming with eap/802.1x). This option is enabled by default. Uses pre-authentication mode (WPA2 fast roaming) Uses online sign up server-only-authenticated encryption network. This option is disabled by default. Uses sha256 authentication key management suite. This option is disabled by default. wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority

[high|normal]|timeout <10-5000> {10-5000}]

wpa-wpa2 handshake attempts <1-5>

Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures WPA/WPA2 handshake parameters Configures the total number of times a message is transmitted towards a non-

responsive client

<1-5> Specify a value from 1 - 5. The default is 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 542 GLOBAL CONFIGURATION COMMANDS init-wait

<5-1000000>

priority

[high|normal]

Configures a minimum wait-time period, in microseconds, before the first handshake message is transmitted from the AP. This option is disabled by default.

<5-1000000> Specify a value from 5 - 1000000 microseconds. Configures the relative priority of handshake messages compared to other data traffic high Treats handshake messages as high priority packets on a radio. This is the default timeout <10-5000>

<10-5000>

setting. normal Treats handshake messages as normal priority packets on a radio Configures the timeout period, in milliseconds, for a handshake message to retire. Once this period is exceed, the handshake message is retired.

<10-5000> Specify a value from 10 - 5000 milliseconds. The default is 500 milliseconds.

<10-5000> Optional. Configures a different timeout between the second and third attempts wpa-wpa2 key-rotation broadcast

<30-86400>

wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>

Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures parameters related to periodic rotation of encryption keys. The periodic key rotation parameters are broadcast, multicast, and unicast traffic. Configures the periodic rotation of keys used for broadcast and multicast traffic. This parameter specifies the interval, in seconds, at which keys are rotated. This option is disabled by default.

<30-86400> Specify a value from 30 - 86400 seconds. unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast traffic. This option is disabled by default.

<30-86400> Specify a value from 30 - 86400 seconds. wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]

wpa-wpa2 psk 0 <LINE>

2 <LINE>

<LINE>

Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures a pre-shared key. The key options are: 0, 2, and LINE Configures a clear text key Configures an encrypted key Enter the pre-shared key either as a passphrase not exceeding 8 - 63 characters, or as a 64 character (256bit) hexadecimal value wpa-wpa2 tkip-countermeasures holdtime <0-65535>

Modifies TKIP-CCMP (WPA/WPA2) parameters Configures a hold time period for implementation of TKIP counter measures wpa-wpa2 tkip-

countermeasures holdtime <0-65535> Configures the amount of time a WLAN is disabled when TKIP counter measures are invoked

<0-65535> Specify a value from 0 - 65535 seconds. The default is 60 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 543 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wpa-wpa2 tkip-countermeasures hold-time 2 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wpa-wpa2 tkip-countermeasures hold-time 2 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75

--More--

rfs6000-81742D(config-wlan-test)#

Related Commands no Removes or reverts to default TKIP-CCMP (WPA/WPA2) related parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 544 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.53 service wlan-mode commands Invokes service commands applicable in the WLAN configuration mode Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [allow-ht-only|allow-open-passpoint|client-load-balancing|cred-cache|

eap-mac-mode|eap-mac-multicopy|eap-mac-multikeys|eap-throttle|

enforce-pmkid-validation|key-index|monitor|radio-crypto|reauthentication|

session-timeout|tx-deauth-on-roam-detection|unresponsive-client|wpa-wpa2|show]

service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|

clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-

validation|radio-crypto|reauthentication seamless|session-timeout mac|

tx-deauth-on-roam-detection|show cli]

service eap-mac-mode [mac-always|normal]

service eap-throttle <0-254>

service key-index eap-wep-unicast <1-4>

service monitor [aaa-server|adoption|captive-portal|dhcp|dns]

service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]

service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>

service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|

timeout <1-60>]

service wpa-wpa2 exclude-ccmp Parameters service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|

clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-

validation|radio-crypto|reauthentication seamless|session-timeout mac|tx-deauth-

on-roam-detection|show cli]

allow-ht-only Only allows clients capable of High Throughput (802.11n) data rates to associate. This option is disabled by default. allow-open-passpoint Enables non-WPA2 security for passpoint WLANs. This option is disabled by default. cred-cache

[clear-on-4way-

timeout|

clear-on-disconnect]

For more information on passpoint policy and configuration, see PASSPOINT POLICY. Clears credential cache based on the parameter passed clear-on-4way-timeout Clears cached client credentials after the 4way handshake with a client has timed out. This option is enabled by default. clear-on-disconnect Clears cached client credentials after the client has disconnected from the network. This option is disabled by default. eap-mac-multicopy Enables sending of multiple copies of broadcast and unicast messages. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 545 GLOBAL CONFIGURATION COMMANDS eap-mac-multikeys enforce-pmkid-

validation radio-crypto reauthentication seamless session-timeout mac tx-deauth-on-roam-

detection show cli Enables configuration of different key indices for MAC authentication. This option is disabled by default. Validates the Predictive real-time pairwise master key identifier (PMKID) contained in a clients association request against the one present in the wpa-wpa2 handshake. This option is enabled by default. This functionality is based on the Proactive Key Caching (PKC) extension of the 802.11i EEEE standard. Whenever a wireless client successfully authenticates with a AP it receives a pairwise master key (PMK). PKC allows clients to cache this PMK and reuse it for future re-authentications with the same AP. The PMK is unique for every client and is identified by the PMKID. The PMKID is a combination of the hash of the PMK, a string, the station and the MAC addresses of the AP. Uses radio hardware for encryption and decryption. This is applicable only for devices using Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) encryption mode. This option is enabled by default. Enables seamless EAP client reauthentication without disconnecting client after the session has timed out. This option is enabled by default. Enables reauthentication of MAC authenticated clients without disconnecting client after the session has timed out. This option is enabled by default. Transmits a deauthentication on the air while disassociating a client because its roam is detected on the wired side. This option is disabled by default. Displays the CLI tree of the current mode. When used in the WLAN mode, this command displays the WLAN CLI structure. service eap-mac-mode [mac-always|normal]

eap-mac-mode mac-always normal Configures the EAP and/or MAC authentication mode used with this WLAN. This option is enabled by default. Enables both EAP and MAC authentication. MAC authentication is performed first, followed by EAP authentication. Clients are granted access based on the EAP authentication result. If a client does not have EAP, the MAC authentication result is used to grant access. Grants client access if the client clears either EAP or MAC authentication. This is the default setting. service eap-throttle <0-254>

eap-throttle <0-254>

Enables EAP request throttling. Use this command to specify the maximum number of parallel EAP sessions allowed on this WLAN. Once this specified value is exceeded, all incoming EAP session requests are throttled. This option is enabled by default.

<0-254> Specify a value from 0 - 254. This default value is 0. service key-index eap-wep-unicast <1-4>

key-index eap-wep-unicast

<1-4>

Configures an index with each key during EAP authentication with WEP. This option is enabled by default.

<1-4> Select a index from 1 - 4. The default value is 1. service wpa-wpa2 exclude-ccmp wpa-wpa2 exclude-ccmp Configures exclusion of CCMP requests when the authentication mode is set to tkip-

ccmp. When enabled, it provides compatibility for client devices not compliant with tkip-ccmp. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 546 GLOBAL CONFIGURATION COMMANDS service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-

server]

monitor aaa-server adoption vlan

<1-4094>

captive-portal external-server Enables critical resource monitoring. In a WLAN, service monitoring enables regular monitoring of external AAA servers, captive portal servers, access point adoption, DHCP and DNS servers. When enabled, it allows administrators to notify users of a services availability and make resource substitutions in case of unavailability of a service. Enables external AAA server failure monitoring. When enabled monitors an external RADIUS server resources AAA activity and ensures its adoption and availability. This feature is disabled by default. Enables adoption failure monitoring on an adopted AP. Also configures a adoption failover VLAN. This feature is disabled by default. VLAN <1-4094> Specify the VLAN on which clients are placed when the connectivity between the AAP and the controller is lost. Configure a DHCP pool and gateway for the failover VLAN. Ensure the DHCP server is running on the AP. Also ensure that the DHCP pool is configured to have less lease time. When this feature is enabled on a WLAN, it allows adopted APs to monitor their connectivity with the controller. If and when this connectivity is lost, all new clients are placed in the configured adoption failover VLAN. They are served an IP by the DHCP server running on the AP. In this situation if a client tries to access a Web URL, the AP redirects the client to a page stating that the service is down. When the AAPs link to the switch is restored, clients are placed back in the WLANs configured VLAN, and are served an IP from the corresponding configured DHCP server (external or on the AP/controller). Enables external captive portal server failure monitoring. When enabled, monitors externally hosted captive portal activity, and user access to the controller or service platform managed network. This feature is disabled by default. When enabled, this feature enables APs to display, to an externally located captive portals user, the no-service page when the captive portals server is not reachable. service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>]

monitor dhcp dns crm

<RESOURCE-NAME>

Enables DHCP and/or DNS server monitoring on this WLAN. Enables monitoring of a specified DHCP server. When the connection to the DHCP server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default. Use the crm keyword to specify the DHCP server to monitor. Enables monitoring of a specified DNS server. When the connection to the DNS server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default. Use the crm keyword to specify the DNS server to monitor. This keyword is common to the dhcp and dns parameters. crm Identifies the DHCP and/or DNS server to monitor

<RESOURCE-NAME> Specify the name of the DHCP or DNS server. Once enabled, the CRM server monitors the DHCP/DNS server and updates their status as up or down depending on the availability of the resource. When either of these resources is down the wireless client is mapped to the failover VLAN and served with the no-service page through the access point. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 547 GLOBAL CONFIGURATION COMMANDS vlan <1-4094>

This keyword is common to the dhcp and dns parameters. After specifying the DHCP/DNS sever resource, specify the failover VLAN. VLAN <1-4094> Configures the failover VLAN from 1 - 4094. When the DHCP server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DHCP server configured that provides a pool of IP addresses with a lease time less than the main DHCP server. When this DNS server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DNS server configured that provides DNS address resolution until the main DNS server becomes available. service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|

timeout <1-60>]

eap-mac-mode attempts <1-1000>

ps-detect {threshold

<1-1000>}

timeout <1-60>

Configures handling of unresponsive clients Configures the maximum number of successive packets that failed transmission

<1-1000> Specify a value from 1 - 1000. The default is 7. Enables the detection of power-save mode clients, whose PS stats has not been updated on the AP. This option is enabled by default. threshold Optional. Configures the threshold at which power-save client detection is triggered

<1-1000> Configures the number of successive unacknowledged packets received before power-save detection is triggered. Specify a value from 1 - 1000. The default is 3. Configures the interval, in seconds, for successive packets not acknowledged by the client

<1-60> Specify a value from 1 - 60 seconds. The default is 3 seconds. Example rfs4000-229D58(config-wlan-test)#service allow-ht-only rfs4000-229D58(config-wlan-test)#service monitor aaa-server rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none service monitor aaa-server service allow-ht-only controller-assisted-mobility rfs4000-229D58(config-wlan-test)#

Related Commands no Removes or reverts to default WLAN settings configured using the service command Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 548 GLOBAL CONFIGURATION COMMANDS 4.1.98 wlan-qos-policy Global Configuration Commands Configures a WLAN QoS policy Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wlan-qos-policy <WLAN-QOS-POLICY-NAME>

Parameters wlan-qos-policy <WLAN-QOS-POLICY-NAME>

<WLAN-QOS-POLICY-

NAME>

Specify the WLAN QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#wlan-qos-policy test rfs6000-81742D(config-wlan-qos-test)#?

WLAN QoS Mode commands:

accelerated-multicast Configure accelerated multicast streams address assnd forwarding QoS classification classification Select how traffic on this WLAN must be classified

(relative prioritization on the radio) multicast-mask Egress multicast mask (frames that match bypass the PSPqueue. This permits intercom mode operation without delay even in the presence of PSP clients) no Negate a command or set its defaults qos Quality of service rate-limit Configure traffic rate-limiting parameters on a per-wlan/per-client basis svp-prioritization Enable spectralink voice protocol support on this wlan voice-prioritization Prioritize voice client over other client (for non-WMM clients) wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wlan-qos-test)#

Related Commands no Removes an existing WLAN QoS Policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 549 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on WLAN QoS policy commands, see Chapter 21, WLAN-QOS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 550 GLOBAL CONFIGURATION COMMANDS 4.1.99 url-filter Global Configuration Commands The following table lists the commands that allow you to enter the URL filter configuration mode:

Table 4.55 Commands Creating a URL Filter Command url-filter url-filter-config-

mode commands Description Creates a new URL filter and enters its configuration mode Summarizes the URL filter configuration mode commands Reference page 4-552 page 4-555 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 551 GLOBAL CONFIGURATION COMMANDS 4.1.99.1 url-filter url-filter Creates a new URL filter (Web filter) and enters its configuration mode. URL filtering is a licensed feature. When applied to a WiNG device the license allows you to enable URL filtering on the device, create and apply a URL filter defining the banned and/or allowed URLs. When enabled, the URL filter is applied to all user-initiated URL requests to determine if the requested URL is banned or allowed. Only if allowed is the users request (in the form of a HTTP request packet) forwarded to the Web server. URL filters can be applied at any of the following points: the users application (browser/email reader), the networks gateway, at the Internet service providers (ISP) end, and also on a Web portal. For wireless clients, the WLAN infrastructure is the best place to implement these filters. A URL filter is a set of whitelist and/or blacklist rules. The whitelist allows access only to those Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the whitelist, are banned. On the other hand, the blacklist bans all Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the blacklist, are allowed. To simplify URL filter configuration, Websites have been classified into pre-defined category-types and categories. The system provides 12 category-types and 64 categories. To further simplify configuration, these 12 category-types have been grouped into five (5) pre-defined levels. (See Usage Guidelines section for the list of category-types, categories, and levels). The actual classification of URLs (on the basis of the pre-defined factors mentioned above) is done by the classification server. A local database also helps by caching URL records for a user-defined time period. The classification server host is specified in the Web filter policy. The Web filter policy also defines the URL database parameters. For more information, see web-filter-policy. The WiNG software also allows you to create URL lists. Each URL list contains a list of user-defined URLs. Use the URL list in a URL filter (whitelist or blacklist rule) to identify the URLs to ban or allow. For example, a URL list named SocialNetworking is created listing the following three sites: Facebook, Twitter, and LinkedIn. When applied to a URL filters blacklist these three sites are banned. Where as, when applied to a whitelist only these three sites are allowed. For more information on configuring a URL list, see url-list. NOTE: URL filtering is a licensed feature. Procure and install the license in the device configuration mode. For more information, see license. Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url-filter <URL-FILTER-NAME>

Parameters url-filter <URL-FILTER-NAME>

<URL-FILTER-

NAME>

Creates a new URL filter and enters its configuration mode. Specify the URL filter name. If the filter does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 552 1 2 3 4 5 6 7 8 9 GLOBAL CONFIGURATION COMMANDS Usage Guidelines Alcohol & Tobacco, Dating & Personals, Gambling, Nudity, Pornography/Sexually Explicit, Sex Education, Weapons Web-based Email Category Type Category Adult Content Business Communication Chat, Instant Messaging Entertainment File Sharing and Backup Gaming News Sports and General Streaming Media & Downloads Download Sites Games Arts, Business, Computer & Technology, Education, Entertainment, Fashion & Beauty, Finance, Forum & Newsgroups, General, Government, Greeting Card, Health &

Medicine, Information Security, Job Search, Leisure & Recreation, Network Errors, News, Non-Profits & NGO, Personal Sites, Politics, Private IP Addresses, Real Estates, Religion, Restaurants & Dinning, Search Engine & Portals, Shopping, Sports, Transportation, Translators, Travel Peer to Peer Child Abuse Images, Cults, Hacking, Hate & Intolerance, Illegal Drug, Illegal Sharing, Illegal Software, School Cheating, Tasteless, Violence Advertisement & Pop-ups, Anonymizers, Botnets, Compromised, Criminal Activity, Malware, Parked Domains, Phishing & Fraud, Spam Sites Social Networking N/A Description Blocks sites/URL categorized as Security Risk Blocks sites/URL categorized as Adult Content + Basic Blocks sites/URL categorized as File Sharing and Backup, P2P, Questionable /

Unethical + Low Blocks sites/URL categorized as Gaming + Medium Blocks sites/URL categorized as Communication, Entertainment, Social and Photo Sharing + Medium High Peer-to-Peer

(P2P) Questionable/

Unethical 10 Security Risk 11 12 1 2 3 4 5 Social and Photo Sharing Software Update Level Basic Low Medium Medium High High Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 553 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-url-filter-test)#?

URL Filter Mode commands:

blacklist Block access to URL blockpage Configure blocking page parameters description Url filter description no Negate a command or set its defaults whitelist Allow access to URL clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-url-filter-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 554 GLOBAL CONFIGURATION COMMANDS 4.1.99.2 url-filter-config-mode commands url-filter The following table summarizes URL filter configuration mode commands:

Table 4.56 URL-Filter-Config-Mode Commands Command blacklist blockpage description no whitelist Description Creates a blacklist rule defining a list of banned Websites and URLs Configures the parameters that retrieve the page or content displayed by the clients browser when a requested URL is blocked and cannot be viewed Configures an appropriate description for this URL filter Removes this URL filters configured parameters Creates a whitelist rule defining a list of Websites and URLs allowed access by clients. Reference page 4-556 page 4-559 page 4-561 page 4-562 page 4-563 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 555 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.1 blacklist url-filter-config-mode commands Creates a blacklist rule. A blacklist is a list of Websites and URLs denied access by clients. Clients requesting blacklisted URLs are presented with a page displaying the Web page blocked message. Parameters relating to this page are configured using the blockpage option. URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified. Use the available options to identify the URL category-types and categories to include in the blacklist. In addition to identifying URLs by the categories and category-types they are classified into, the system also provides five (5) levels of Web filtering (basic, high, low, medium, and medium-high). Each level identifies a specific set of URL categories to blacklist. For more information on category-types, categories, and URL filtering levels, see url-filter. Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax blacklist [category-type|level|url-list]

blacklist category-type [adult-content|all|business|communication|entertainment|

file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|

social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}

blacklist level [basic|high|low|medium|medium-high] precedence <1-500>

{description <LINE>}

blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

Parameters blacklist category-type [adult-content|all|business|communication|

entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|

security-risk|social-photo-sharing|software-updates] precedence <1-500>

{description <LINE>}

blacklist category-type

<SELECT-

CATEGORY-TYPE>

Selects the category-type to blacklist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database. Websites have been classified into the following 12 category types:

adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updates Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 556 GLOBAL CONFIGURATION COMMANDS Select all to blacklist all category-types. Some of the category-types are further classified into categories. For example, the adult-content category-type is differentiated into the following categories:

alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons. The system blocks all categories (URLs falling within their limits) within the selected category-type. Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. precedence

<1-500>

description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. blacklist level [basic|high|low|medium|medium-high] precedence <1-500>

{description <LINE>}

blacklist level

[basic|high|low|

medium|medium-

high]

precedence

<1-500>

Configures the Web filtering level as basic, high, low, medium, or medium-high. Each of these filter-levels are pre-configured to use a set of category types and this mapping cannot be modified. Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

blacklist url-list

<URL-LIST-NAME>

precedence

<1-500>

Associates a URL list with this URL filter. When associated with a blacklist rule, all URLs listed in the specified URL list are blacklisted. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.

<URL-LIST-NAME> Enter URL list name (should be existing and configured) Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. Example rfs6000-81742D(config-url-filter-test)#blacklist level medium-high precedence 10 rfs6000-81742D(config-url-filter-test)#blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#blacklist category-type security-risk category botnets precedence 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 557 GLOBAL CONFIGURATION COMMANDS rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#

Related Commands no Removes a blacklist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 558 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.2 blockpage url-filter-config-mode commands Configures the parameters that retrieve the page or content displayed by the clients browser when a requested URL is blocked and cannot be viewed Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax blockpage [external|internal|path]

blockpage path [external|internal]

blockpage external url <URL>

blockpage internal [content|footer|header|main-logo|org-name|org-signature|

small-logo|title] <LINE/IMAGE-URL>

Parameters blockpage path [external|internal]

blockpage path

[external|internal]

Specifies if the location of the page displayed, to the client when a requested URL is blocked, is external or internal external Indicates the page displayed is hosted on an external Web server resource. If selecting this option, use the blockpage > external > url <URL> command to provide the path to the external Web server hosting the page. internal Indicates the page displayed is hosted internally. This is the default setting. If selecting this option, use the blockpage > internal > <SELECT-PAGE-TYPE> > <LINE/

IMAGE-URL> command to define the page configuration. blockpage external url <URL>

blockpage external url <URL>

Configures the URL of the external Web server hosting the page (displayed to the client when a requested URL is blocked). url <URL> Specify the URL of the Web server and the blocking page name Valid URLs should begin with http:// or https://

The URL can contain query strings. Use '&' or '?' character to separate field-value pair. Enter 'ctrl-v' followed by '?' to configure query strings blockpage internal [content|footer|header|main-logo|org-name|org-signature|

small-logo|title] <LINE/IMAGE-URL>

blockpage internal

[content|footer|

header|main-logo|

org-name|

org-signature|

small-logo|title]

<LINE/IMAGE-URL>

Configures the internally hosted blocking page parameters, such as the content displayed, page footer and header, organization (the organization enforcing the Web page blocking) details (name, signature, and logo), and page title content Configures the text (message) displayed on the blocking page footer Configures the text displayed as the blocking page footer Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 559 GLOBAL CONFIGURATION COMMANDS header Configures the text displayed as the blocking page header org-name Configures the organizations name displayed on the blocking page org-signature Configures the organizations signature displayed on the blocking page title Configures the title of the blocking page. main-logo Configures the location of the main logo (organizations large logo) small-logo Configures the location of the small logo (organizations small logo) The following keyword is common to all of the above parameters:

<LINE/IMAGE-URL> Specify the location of the logo (main and small) image file. The image is retrieved and displayed from the location configured here. If you are using this option to provide content, such as organization name, footer, header, etc. enter a text string not exceeding 255 characters in length. Example rfs6000-81742D(config-url-filter-test)#blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#

Related Commands no Removes the blocking page configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 560 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.3 description url-filter-config-mode commands Configures a description for this URL filter. Provide a description that enables you to identify the purpose of this URL filter. Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>

Parameters description <LINE>

description <LINE>

Enter an appropriate description for this URL filter. The description should identify the URL filters purpose and should not exceed 80 characters in length. Example rfs6000-81742D(config-url-filter-test)#description Blacklists sites inappropriate for children and are security risks. rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."

blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#

Related Commands no Removes this URL filters description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 561 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.4 no url-filter-config-mode commands Use the no command to remove this URL filters configured parameters Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [blacklist|blockpage|description|whitelist]

no blacklist [category-type|level|url-list]

no blacklist [category-type <SELECT-CATEGORY-TYPE>|level <SELECT-LEVEL>|

url-list <URL-LIST-NAME>] precedence <1-500>

no blockpage [external|internal [content|footer|header|main-logo|org-name|

org-signature|small-logo|title]|path]

no description no whitelist [category-type|url-list]

no whitelist [category-type <SELECT-CATEGORY-TYPE>|url-list <URL-LIST-NAME>]

precedence <1-500>

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this URL filters configured parameters based on the values passed here Example The following example displays the URL filter test settings before the no is executed:

rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."

blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#

rfs6000-81742D(config-url-filter-test)#no description rfs6000-81742D(config-url-filter-test)#no blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#no whitelist category-type communication category chat precedence 7 The following example displays the URL filter test settings after the no is executed:

rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 562 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.5 whitelist url-filter-config-mode commands Creates a whitelist rule. A whitelist is a list of Websites and URLs allowed access by clients. URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified. Use the available options to identify the category-types and categories to include in the whitelist. Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax whitelist [category-type|url-list]

whitelist category-type [adult-content|all|business|communication|entertainment|

file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|

social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}

whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

Parameters whitelist category-type [adult-content|all|business|communication|

entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|

security-risk|social-photo-sharing|software-updates] precedence <1-500>

{description <LINE>}

whitelist category-type

<SELECT-

CATEGORY-TYPE>

precedence

<1-500>

Selects the category-type to add to this whitelist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database. Websites have been classified into the following 12 category types: adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updates. Select all to whitelist all category-types. Some of the category-types are further classified into categories. For example, the adult-content category-type is differentiated into the following categories:

alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons. The system allows all categories (URLs falling within their limits) within the selected category-type. Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 563 GLOBAL CONFIGURATION COMMANDS whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}

whitelist url-list

<URL-LIST-NAME>

precedence

<1-500>

Associates a URL list with this URL filter. When associated with a whitelist rule, all URLs listed in the specified URL list are allowed access. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.

<URL-LIST-NAME> Enter URL list name (should be existing and configured) Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule. Example rfs6000-81742D(config-url-filter-test)#whitelist category-type communication category chat precedence 7 rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."

blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"

rfs6000-81742D(config-url-filter-test)#

Related Commands no Removes a whitelist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 564 GLOBAL CONFIGURATION COMMANDS 4.1.100 url-list Global Configuration Commands The following table lists the commands that allow you to enter the URL list configuration mode:

Table 4.57 Commands Creating a URL List Command url-list url-list-config-

mode commands Description Creates a new URL list and enters its configuration mode Summarizes the URL list configuration mode commands Reference page 4-566 page 4-567 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 565 GLOBAL CONFIGURATION COMMANDS 4.1.100.1 url-list url-list Creates a URL list and enters its configuration mode. URL lists are a means of categorizing URLs on the basis of various criteria, such as frequently used, not-permitted, etc. It is used in URL filters to identify whitelisted/blacklisted URLs. Web requests are blocked or approved based on URL filter whitelist/blacklist rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url-list <URL-LIST-NAME>

Parameters url-list <URL-LIST-NAME>

<URL-LIST-NAME>

Specify the URL list name. The URL list is created if another list with the same name does not exist. Example nx9500-6C8809(config)#url-list URLlist1 nx9500-6C8809(config-url-list-URLlist1)#?

URL List Mode commands:

description Description of the category no Negate a command or set its defaults url Add a URL entry clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-url-list-URLlist1)#

nx9500-6C8809(config-url-list-URLlist1)#url http://www.example_company.com depth 10 nx9500-6C8809(config-url-list-test)#show context url-list test url http://www.example_company.com depth 10 nx9500-6C8809(config-url-list-URLlist1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 566 GLOBAL CONFIGURATION COMMANDS 4.1.100.2 url-list-config-mode commands url-list The following table summarizes URL list configuration mode commands:

Table 4.58 URL-Filter-Config-Mode Commands Command description url no Description Creates a blacklist rule defining a list of banned Web sites and URLs Adds URL entries to this URL list Removes this URL lists settings Reference page 4-568 page 4-569 page 4-570 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 567 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.1 description url-list-config-mode commands Configures a description for this URL list. The description should be unique and enable you to identify the type of URLs listed in the URL list. Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>

Parameters description <LINE>

description <LINE>

Provide a unique description for this URL list (should not exceed 500 characters in length) Example nx9500-6C8809(config-url-list-test)#description This URL list contains social media URLs nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social media URLs nx9500-6C8809(config-url-list-test)#

Related Commands no Removes this URL lists description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 568 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.2 url url-list-config-mode commands Adds URL entries to this URL list Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url <WORD> {depth <1-10>}

Parameters url <WORD> {depth <1-10>}

Adds a URL entry

<WORD> Specify the URL to add. url <WORD>

{depth <1-10>}

depth Optional. Sets number of levels to be cached. Since Web sites have different parameters to uniquely identify specific content, the same content may be stored on multiple origin servers. Smart caching uses subsets of these parameters to recognize that the content is the same and serves it from cache.

<1-10> Specify the depth from 1 - 10. Example nx9500-6C8809(config-url-list-test)#url http://www.facebook.com nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS url https://www.facebook.com depth 5 nx9500-6C8809(config-url-list-test)#

Related Commands no Removes a URL entry from this URL list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 569 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.3 no url-list-config-mode commands Removes this URL lists settings Supported in the following platforms:

Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [description|url]

no description no url <WORD>

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes this URLs settings based on the parameters passed Example The following example displays the URL list test settings before the no command is executed:

nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS url https://www.facebook.com depth 5 nx9500-6C8809(config-url-list-test)#

nx9500-6C8809(config-url-list-test)#no url www.facebook.com The following example displays the URL list test settings after the no command is executed:

nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS nx9500-6C8809(config-url-list-test)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 570 GLOBAL CONFIGURATION COMMANDS 4.1.101 vx9000 Global Configuration Commands Configures a Virtual WLAN Controller (V-WLC) in a virtual machine (VM) environment. V-WLC can be deployed on a shared, third-party server hardware, thereby reducing overhead costs of procuring and maintaining dedicated appliances. The external, third-party hardware needs to have installed hypervisors, such as VmWare, Xen, VirtualBox, KVM, Amazon EC2 or Hyper-V, enabling it to communicate with V-WLC software. The V-WLC controls and manages access points and other controllers (at NOC or as a site-controller) in the network. The traffic between the access points and the V-WLC is over the layer-3 MINT protocol. V-WLC is a licensed feature, and the WiNG software provides the following two new licenses:

VX When installed, this license activates VM controller instance, and enables the V-WLC to trigger adoption process allowing access points to adopt to the V-WLC. The adoption capacity of the V-

WLC is determined by the number of licenses installed on it. VX-DEMO This is a 60 day trial license. This license also activates VM controller instance, and enables the V-WLC to adopt access points. But, the access point adoption capacity is limited to 16. Having installed this license on a device, the only other license that you can install on it is the VX license. All existing installed licenses will continue to work as before. Since this license has a limited validity period, ensure that the system clock on the license generating tool and the device are in sync. preferably through NTP. To install the VX or VX-DEMO license on an existing V-WLC instance, use the license command. For more information, see the examples provided in this section. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600 Syntax vx9000 <MAC>

Parameters vx9000 <MAC>

vx <MAC>

Configures a V-WLC and enters its configuration mode The V-WLC configuration is the same as that of a normal controller. Example nx9500-6C8809(config)#vx9000 11-22-33-44-55-66 nx9500-6C8809(config-device-11-22-33-44-55-66)#?

Device Mode commands:

adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-site Set system's adoption site adoption-mode Configure the adoption mode for the access-points in this RF-Domain alias Alias application-policy Application Poicy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 571 GLOBAL CONFIGURATION COMMANDS autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bluetooth-detection Detect Bluetooth devices using the Bluetooth USB module - there will be interference on 2.4 Ghz radio in wlan mode bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol channel-list Configure channel list to be advertised to wireless clients cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup configfile) contact Configure the contact controller WLAN controller configuration country-code Configure the country of operation critical-resource Critical Resource crypto Encryption related commands database Database command device-upgrade Device firmware upgrade dot1x 802.1X dpi Enable Deep-Packet-Inspection

(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged frames email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located geo-coordinates Configure geo coordinates for this device gre GRE protocol hostname Set system's network name http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table layout-coordinates Configure layout coordinates for this device led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices license License management command lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter location Configure the location logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X mac-name Configure MAC address to name mappings management-server Configure management server address memory-profile Memory profile to be used on the Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 572 GLOBAL CONFIGURATION COMMANDS device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Check controller connectivity after configuration is received mint MiNT protocol mirror Mirroring misconfiguration-recovery-time Check controller connectivity after configuration is received mpact-server MPACT server configuration neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event override Override a command override-wlan Configure RF Domain level overrides for wlan power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remove-override Remove configuration item override from the device (so profile value takes effect) rf-domain-manager RF Domain Manager router Dynamic routing rsa-key Assign a RSA key to a service sensor-server AirDefense sensor server configuration slot PCI expansion Slot spanning-tree Spanning tree timezone Configure the timezone traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 573 GLOBAL CONFIGURATION COMMANDS previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-11-22-33-44-55-66)#

vx-0099CC(config-device-00-0C-29-00-99-CC)~*#license ?

WORD Feature name (AP/AAP/ADSEC/HTANLT/VX) for which license is to be added vx-0099CC(config-device-00-0C-29-00-99-CC)~*#license vx 80ee9649eddc94b48b5a35d7 eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24 vx-0099CC(config-device-00-0C-29-00-99-CC)~*#com wr Jan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_COMMIT: Configuration commit by user 'root' (mapsh) from 'Console'

Jan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 9 from 8 Jan 16 13:48:12 2014: vx-0099CC : %LICMGR-6-LIC_INSTALLED: VX license installed

[OK]

vx-0099CC(config-device-00-0C-29-00-99-CC)~*#Jan 16 13:48:12 2014: vx-0099CC :

%SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 10 from 9 vx-0099CC(config-device-00-0C-29-00-99-CC)~*#

vx-0099CC(config-device-00-0C-29-00-99-CC)~*#

vx-0099CC(config-device-00-0C-29-00-99-CC)~*#sh licenses Serial Number : 000C290099CCC0A80001 WARNING: Recommended minimum system resource requirements not met for the current license pack or cluster configs. Please check user guide and reconfigure the system Device Licenses:

AP-LICENSE String :

Value : 10240 AAP-LICENSE String :

Value : 10240 ADVANCED-SECURITY String : DEFAULT-ADV-SEC-LICENSE VX-LICENSE String :

80ee9649eddc94b48b5a35d7eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24 Cluster Licenses:

AP-LICENSE Value : 10240 Used : 0 AAP-LICENSE Value : 10240 Used : 0 Cluster MAX AP Capacity:

Value : 10240 Used : 0 Active Members:

--------------------------------------------------------------------------------

-------------------

MEMBER SERIAL LIC TYPE VALUE BORROWED TOTAL NO.APS NO.AAPS

--------------------------------------------------------------------------------

-------------------

00-0C-29-00-99-CC 000C290099CCC0A80001 AP 10240 0 10240 0 0 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 574 GLOBAL CONFIGURATION COMMANDS 00-0C-29-00-99-CC 000C290099CCC0A80001 AAP 10240 0 10240 -

-

--------------------------------------------------------------------------------

-------------------

vx-0099CC(config-device-00-0C-29-00-99-CC)~*#

Related Commands no Removes a VX9000 wireless controller Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 575 5 COMMON COMMANDS This chapter describes the CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. The PRIV EXEC command set contains commands available within the USER EXEC mode. Some commands can be entered in either mode. Commands entered in either the USER EXEC or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 1 COMMON COMMANDS 5.1 Common Commands COMMON COMMANDS The following table summarizes commands common to the User Exec, Priv Exec, and Global Config modes:

Table 5.1 Commands Common to Controller CLI Modes Command Description Reference clrscr commit exit help no revert service show write Clears the display screen Commits (saves) changes made in the current session Ends and exits the current mode and moves to the PRIV EXEC mode Displays the interactive help system Negates a command or reverts values to their default settings Reverts changes to their last saved configuration Invokes service commands to troubleshoot or debug (config-if) instance configurations page 5-58 Displays running system information Writes the systems running configuration to memory or to the terminal page 5-60 page 5-3 page 5-4 page 5-5 page 5-6 page 5-9 page 5-12 page 5-13 NOTE: The input parameter <HOSTNAME> cannot include an underscore character. In other words, a devices hostname cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 2 COMMON COMMANDS 5.1.1 clrscr Common Commands Clears the screen and refreshes the prompt, irrespective of the mode Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clrscr Parameters None Example The terminal window or screen before the clrscr command is executed:

rfs4000-229D58#device-upgrade ?

DEVICE-NAME Name/MAC address of device all Upgrade all devices ap650 Upgrade AP650 Device ap6511 Upgrade AP6511 Device ap6521 Upgrade AP6521 Device ap6522 Upgrade AP6522 Device ap6532 Upgrade AP6532 Device ap6562 Upgrade AP6562 Device ap71xx Upgrade AP7161 Device ap7502 Upgrade AP7502 Device ap7522 Upgrade AP7522 Device ap7532 Upgrade AP7532 Device ap7562 Upgrade AP7562 Device ap81xx Upgrade AP81XX Device ap82xx Upgrade AP82XX Device ap8432 Upgrade AP8432 Device ap8533 Upgrade AP8533 Device cancel-upgrade Cancel upgrading the device load-image Load the device images to controller for device-upgrades rf-domain Upgrade all devices belonging to an RF Domain rfs4000 Upgrade RFS4000 Device rfs4000-229D58#

The terminal window or screen after the clrscr command is executed:

rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 3 COMMON COMMANDS 5.1.2 commit Common Commands Commits changes made in the active session. Use the commit command to save and invoke settings entered during the current transaction. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax commit {write}{memory}

Parameters commit {write}{memory}

write memory Optional. Commits changes made in the current session Optional. Writes to memory. This option ensures current changes persist across reboots. Example nx9500-6C8809#commit write memory

[OK]

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 4 COMMON COMMANDS 5.1.3 exit Common Commands The exit command works differently in the User Exec, Priv Exec, and Global Config modes. In the Global Config mode, it ends the current mode and moves to the previous mode, which is Priv Exec mode. The prompt changes from (config)# to #. When used in the Priv Exec and User Exec modes, the exit command ends the current session, and connection to the terminal device is terminated. If the current session has changes that have not been committed, the system prompts you to either do a commit or a revert before terminating the session. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example nx9500-6C8809(config)#exit nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 5 COMMON COMMANDS 5.1.4 help Common Commands Describes the interactive help system Use this command to access the advanced help feature. Use ? anytime at the command prompt to access the help topic. Two kinds of help are provided:

Full help is available when ready to enter a command argument Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (for example 'show ve?'). Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax help {search}

help {search <WORD>} {detailed|only-show|skip-no|skip-show}

Parameters help {search <WORD>} {detailed|only-show|skip-no|skip-show}

search <WORD>

detailed only-show skip-no skip-show Optional. Searches for CLI commands related to a specified target term

<WORD> Specify a target term (for example, a feature or a configuration parameter). After specifying the term, select one of the following options: detailed, only-show, skip-no, or skip-show. The system displays information based on the option selected. Optional. Searches and displays help strings in addition to mode and commands Optional. Displays only show commands. Does not display configuration commands Optional. Displays only configuration commands. Does not display no commands Optional. Displays only configuration commands. Does not display show commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 6 COMMON COMMANDS Example nx9500-6C8809>help search crypto detailed found more than 64 references, showing the first 64 Context : Command Command : clear crypto ike sa (A.B.C.D|all)(|on DEVICE-NAME)

\ Clear

\ Encryption Module

\ IKE SA

\ Flush IKE SAs

\ Flush IKE SAs for a given peer

\ Flush all IKE SA

\ On AP/Controller

\ AP/Controller name

: clear crypto ipsec sa(|on DEVICE-NAME)

\ Clear

\ Encryption Module

\ IPSec database

\ Flush IPSec SAs

\ On AP/Controller

\ AP/Controller name

: crypto key export rsa WORD URL (passphrase WORD|) (background|) ...

\ Encryption related commands

--More--

nx9500-6C8809>

nx9500-6C8809>help search crypto only-show Context : Command Command : show crypto cmp request status(|on DEVICE-NAME)

: show crypto ike sa (version 1|version 2|)(peer A.B.C.D|) (detail...

: show crypto ipsec sa (peer A.B.C.D|) (detail|) (|on DEVICE-NAME...

: show crypto key rsa (|public-key-detail) (|on DEVICE-NAME)

: show crypto pki trustpoints (WORD|all|)(|on DEVICE-NAME) nx9500-6C8809>

nx9500-6C8809>help search service skip-show found more than 64 references, showing the first 64 Context : Command Command : service block-adopter-config-update

: service clear adoption history(|on DEVICE-NAME)

: service clear captive-portal-page-upload history (|(on DOMAIN-NA...

: service clear command-history(|on DEVICE-NAME)

: service clear device-upgrade history (|on DOMAIN-NAME)

: service clear noc statistics

: service clear reboot-history(|on DEVICE-NAME)

: service clear unsanctioned aps (|on DEVICE-OR-DOMAIN-NAME)

: service clear upgrade-history(|on DEVICE-NAME)

: service clear web-filter cache(|on DEVICE-NAME)

: service clear wireless ap statistics (|(AA-BB-CC-DD-EE-FF)) (|on...

: service clear wireless client statistics (|AA-BB-CC-DD-EE-FF) (|...

: service clear wireless controller-mobility-database

: service clear wireless dns-cache(|on DEVICE-OR-DOMAIN-NAME)

: service clear wireless radio statistics (|(DEVICE-NAME (|<1-3>))...

: service clear wireless wlan statistics (|WLAN) (|on DEVICE-OR-DO...

: service clear xpath requests (|<1-100000>)

: service show block-adopter-config-update

: service show captive-portal servers(|on DEVICE-NAME)

: service show captive-portal user-cache(|on DEVICE-NAME)

: service show cli nx9500-6C8809>

--More--

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 7 COMMON COMMANDS nx9500-6C8809>help search mint only-show Found 25 references for "mint"

Context : Command Command : show debugging mint (|on DEVICE-OR-DOMAIN-NAME)

: show mint config(|on DEVICE-NAME)

: show mint dis (|details)(|on DEVICE-NAME)

: show mint id(|on DEVICE-NAME)

: show mint info(|on DEVICE-NAME)

: show mint known-adopters(|on DEVICE-NAME)

: show mint links (|details)(|on DEVICE-NAME)

: show mint lsp

: show mint lsp-db (|details AA.BB.CC.DD)(|on DEVICE-NAME)

: show mint mlcp history(|on DEVICE-NAME)

: show mint mlcp(|on DEVICE-NAME)

: show mint neighbors (|details)(|on DEVICE-NAME)

: show mint route(|on DEVICE-NAME)

: show mint stats(|on DEVICE-NAME)

: show mint tunnel-controller (|details)(|on DEVICE-NAME)

: show mint tunneled-vlans(|on DEVICE-NAME)

: show wireless mint client (|on DEVICE-OR-DOMAIN-NAME)

: show wireless mint client portal-candidates(|(DEVICE-NAME (|<1-3...

: show wireless mint client statistics (|on DEVICE-OR-DOMAIN-NAME)...

: show wireless mint client statistics rf (|on DEVICE-OR-DOMAIN-NA...

: show wireless mint detail (|(DEVICE-NAME (|<1-3>))) (|(filter {|...

: show wireless mint links (|on DEVICE-OR-DOMAIN-NAME)

: show wireless mint portal (|on DEVICE-OR-DOMAIN-NAME)

: show wireless mint portal statistics (|on DEVICE-OR-DOMAIN-NAME)...

: show wireless mint portal statistics rf (|on DEVICE-OR-DOMAIN-NA... nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 8 COMMON COMMANDS 5.1.5 no Common Commands Negates a command or sets its default. Though the no command is common to the User Exec, Priv Exec, and Global Config modes, it negates a different set of commands in each mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no <PARAMETERS>

Parameters no <PARAMATERS>

no <PARAMETERS>

The no command is common across all configuration modes and sub modes. It resets or reverts settings based on the mode in which executed. For example, when executed in the AAA policy configuration mode, it allows you to reset or revert a specific AAA policy settings. Similarly, when executed in the global configuration mode, it only resets or reverts settings configured in the global configuration mode. Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example Global Config mode: No command options rfs6000-81742D(config)##no ?

aaa-policy Delete a aaa policy aaa-tacacs-policy Delete a aaa tacacs policy alias Alias ap621 Delete an AP621 access point ap622 Delete an AP622 access point ap650 Delete an AP650 access point ap6511 Delete an AP6511 access point ap6521 Delete an AP6521 access point ap6522 Delete an AP6522 access point ap6532 Delete an AP6532 access point ap6562 Delete an AP6562 access point ap71xx Delete an AP71XX access point ap7502 Delete an AP7502 access point ap7522 Delete an AP7522 access point ap7532 Delete an AP7532 access point ap7562 Delete an AP7562 access point ap81xx Delete an AP81XX access point ap82xx Delete an AP82XX access point ap8432 Delete an AP8432 access point ap8533 Delete an AP8533 access point application Delete an application application-group Delete an application-group application-policy Delete an application policy association-acl-policy Delete an association-acl policy auto-provisioning-policy Delete an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 9 COMMON COMMANDS bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding policy bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding policy captive-portal Delete a captive portal client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) crypto-cmp-policy CMP policy customize Restore the custom cli commands to default device Delete multiple devices device-categorization Delete device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Delete a whitelist object event-system-policy Delete a event system policy ex3500 Ex3500 device ex3500-management-policy Delete a ex3500 management policy ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy ex3500-qos-policy-map Delete a ex3500 qos policy-map ex3524 Delete an EX3524 wireless controller ex3548 Delete an EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Delete a global association list igmp-snoop-policy Remove device onboard igmp snoop policy inline-password-encryption Disable storing encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 Negate a command or set its defaults mac MAC configuration management-policy Delete a management policy meshpoint Delete a meshpoint object meshpoint-qos-policy Delete a mesh point QoS configuration policy nac-list Delete an network access control list nsight-policy Delete a nsight policy passpoint-policy Delete a passpoint configuration policy password-encryption Disable password encryption in configuration profile Delete a profile and all its associated configuration radio-qos-policy Delete a radio QoS configuration policy radius-group Local radius server group configuration radius-server-policy Remove device onboard radius policy radius-user-pool-policy Configure Radius User Pool rf-domain Delete one or more RF-domains and all their associated configurations rfs4000 Delete an RFS4000 wireless controller rfs6000 Delete an RFS6000 wireless controller roaming-assist-policy Delete a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuratino rtl-server-policy Delete a rtl server policy schedule-policy Delete a schedule policy sensor-policy Delete a sensor policy smart-rf-policy Delete a smart-rf-policy t5 Delete an T5 DSL switch url-filter Delete a url filter url-list Delete a URL list web-filter-policy Delete a web filter policy wips-policy Delete a wips policy wlan Delete a wlan object Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 10 COMMON COMMANDS wlan-qos-policy Delete a wireless lan QoS configuration policy service Service Commands rfs6000-81742D(config)#

Priv Exec mode: No command options rfs6000-81742D#no ?

adoption Reset adoption state of the device (& all devices adopted to it) captive-portal Captive portal commands cpe T5 CPE configuration crypto Encryption related commands debug Debugging functions logging Modify message logging facilities page Toggle paging service Service Commands terminal Set terminal line parameters upgrade Remove a patch wireless Wireless Configuration/Statistics commands rfs6000-81742D#

user Exec mode: No command options rfs6000-81742D>no ?

adoption Reset adoption state of the device (& all devices adopted to it) captive-portal Captive portal commands crypto Encryption related commands debug Debugging functions logging Modify message logging facilities page Toggle paging service Service Commands terminal Set terminal line parameters wireless Wireless Configuration/Statistics commands rfs6000-81742D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 11 COMMON COMMANDS 5.1.6 revert Common Commands Reverts changes made, in the current session, to their last saved configuration Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax revert Parameters None Example nx9500-6C8809>revert nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 12 COMMON COMMANDS 5.1.7 service Common Commands Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. The User Exec mode and Priv Exec mode commands provide same functionalities with a few minor changes. The Global Config service command sets the size of history files. It also enables viewing the current modes CLI tree. This section consists of the following sub-sections:

Syntax (User Exec Mode) Syntax (Privilege Exec Mode) Syntax (Privilege Exec Mode: NX9500 and NX9510) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax (User Exec Mode) service [block-adopter-config-update|clear|cli-tables-skin|cluster|database|

delete-offline-aps|force-send-config|force-update-vm-stats|guest-registration|

load-balancing|load-ssh-authorized-keys|locator|nsight|radio|radius|

request-full-config-from-adopter|set|show|smart-rf|ssm|snmp|syslog|wireless]

service [block-adopter-config-update|request-full-config-from-adopter]

service clear [adoption|captive-portal-page-upload|command-history|device-

upgrade|diag|dpi|file-sync|noc|reboot-history|unsanctioned|upgrade-history|

virtual-machine-history|web-filter|wireless|xpath]

service clear adoption history {on <DEVICE-NAME>}

service clear device-upgrade history {on <DOMAIN-NAME>}

service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}

service clear diag pkts service clear file-sync history {on <DOMAIN-NAME>}

service clear captive-portal-page-upload history {on <DOMAIN-NAME>}

service clear [command-history|reboot-history|upgrade-history|virtual-machine-

history] {on <DEVICE-NAME>}

service clear noc statistics service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}

service clear web-filter cache {on <DEVICE-NAME>}

service clear wireless [ap|client|controller-mobility-database|dns-

cache|radio|wlan]

service clear wireless controller-mobility-database service clear wireless [ap|client] statistics {<MAC>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

service clear wireless dns-cache on {(on <DEVICE-OR-DOMAIN-NAME)}

service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>} {(on <DEVICE-OR-

DOMAIN-NAME>)}

service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME)}

service clear xpath requests {<1-100000>}

service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8]

{grid}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 13 COMMON COMMANDS service cluster force [active|configured-state|standby]

service database [authentication|start-shell]

service database authentication [create-user|delete-user]

service database authentication create-user username <USER-NAME> password

<PASSWORD>

service database authentication delete-user username <USER-NAME>

Note, the other service > database command options are documented latter in this section under the (Privilege Exec Mode) section. service database start-shell service delete-offline-aps [all|offline-for]

service delete-offline-aps offline-for days <0-999> {time <TIME>}

service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}

service force-update-vm-stats {on <DEVICE-NAME>}

service guest-registration [backup|delete|export|import]

service guest-registration backup [delete|restore]

service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|

mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|offline-for days <1-999>|otp-incomplete-for days <1-999>|social [facebook|google]|

wlan <WLAN-NAME>]

service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-

NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}

service guest-registration import format <JSON> <SOURCE-URL>

service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}

service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}

service locator {<1-60>} {(on <DEVICE-NAME>)}

service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]

service radio <1-3> [adaptivity|channel-switch|dfs]

service radio <1-3> adaptivity service radio <1-3> channel-switch <36-196> [160|20|40|80]

service radio <1-3> dfs simulator-radar [extension|primary]

service radius test [<IP>|<HOSTNAME>] [<WORD>|port]

service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-

NAME> ssid <SSID>} {(on <DEVICE-NAME>)}

service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME>

<PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}

service set validation-mode [full|partial] {on <DEVICE-NAME>}

service show [block-adopter-config-update|captive-portal|cli|client-identity-

defaults|command-history|configuration-revision|crash-info|dhcp-lease|diag|fast-

switching|fib|fib6|guest-registration|info|ip-access-list|mac-vendor|mem|mint|

noc|nsight|pm|process|reboot-history|rf-domain-manager|sites|snmp|

ssh-authorized-keys|startup-log|sysinfo|top|upgrade-history|virtual-machine-

history|watch-dog|wireless|xpath-history]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 14 COMMON COMMANDS service show block-adopter-config-update service show captive-portal [log-internal|servers|user-cache]

service show captive-portal log-internal service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}

service show [cli|client-identity-defaults|configuration-revision|mac-vendor

<OUI/MAC>|noc diag|snmp session|xpath-history]

service show [command-history|crash-info|info|mem|process|reboot-history|startup-

log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}

service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-

DOMAIN-NAME>}

service show dhcp-lease {<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1} (on <DEVICE-

NAME>)}

service show diag [fds|led-status|pkts|psu|stats]

service show diag [fds|pkts]

service show diag [led-status|psu|stats] {on <DEVICE-NAME>}

service show fast-switching {on <DEVICE-NAME>}

service show [fib|fib6] {table-id <0-255>}

service show guest-registration [export-status|import-status|restore-status]

service show mint [adopted-devices {on <DEVICE-NAME>}|ports]

service show pm {history} {(on <DEVICE-NAME>)}

service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-

DOMAIN-NAME>)}

service show sites service show virtual-machine-history {on <DEVICE-NAME>}

service show wireless [aaa-stats|adaptivity-status|client|config-internal|

credential-cache|dns-cache|log-internal|meshpoint|neighbors|radar-status|

radio-internal|reference|stats-client|vlan-usage]

service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|

radar-status|vlan-usage] {on <DEVICE-NAME>}

service show wireless [config-internal|log-internal|neighbors]

service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>}

{{on <DEVICE-OR-DOMAIN-NAME>)}

service show wireless radio-internal [radio1|radio2] <LINE>

service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|

status-codes]

service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

service smart-rf [clear-config|clear-history|clear-interfering-aps|save-config]

service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

service smart-rf [clear-history||clear-interfering-aps|save-config] {on <DOMAIN-

NAME>}

service snmp sysoid wing5 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 15 COMMON COMMANDS service ssm [dump-core-snapshot|trace]

service ssm trace pattern <WORD> {on <DEVICE-NAME>}

service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]} {(on <DEVICE-NAME>)}

service wireless [client|dump-core-snapshot|meshpoint|qos|trace|unsanctioned|

wips]

service wireless client [beacon-request|quiet-element|trigger-bss-transition|

trigger-wnm]

service wireless client beacon-request <MAC> mode [active|passive|table] ssid

[<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}

service wireless client quiet-element [start|stop]

service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535>} {url

<URL>} {on <DEVICE-OR-DOMAIN-NAME>}

service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-

remediation] {uri <WORD>}

service wireless dump-core-snapshot service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout

<1-65535>}

service wireless qos delete-tspec <MAC> tid <0-7>

service wireless trace pattern <WORD> {on <DEVICE-NAME>}

service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}

service wireless wips [clear-client-blacklist|clear-event-history|dump-managed-

config]

service wireless wips clear-client-blacklist [all|mac <MAC>]

service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME>}

Parameters (User Exec Mode) service service [block-adopter-config-update|request-full-config-from-adopter]

block-adopter-config-

update request-full-config-

from-adopter Blocks the configuration updates sent from the NOC server Configures a request for full configuration updates from the adopter device In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers. The adopted devices (access points and site controllers) are referred to as the adoptee. The devices adopting the adoptee are the adopters. service clear adoption history {on <DEVICE-NAME>}

clear adoption history Clears adoption history on this device and its adopted access points Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 16 COMMON COMMANDS on <DEVICE-NAME>

Optional. Clears adoption history on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service clear device-upgrade history {on <DOMAIN-NAME>}

clear device-upgrade history on <DOMAIN-NAME> Optional. Clears all firmware upgrade history in a specified RF Domain Clears device upgrade history

<DOMAIN-NAME> Specify the RF Domain name. service clear diag pkts clear diag pkts Clears the looped packets queue logged by the dataplane. The dataplane logs up to 16 looped packets at a time in a separate queue, which has to be manually cleared to make space for new packet logging. For more information on viewing logged looped packet information execute the service > show > diag > pkts command. service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}

clear dpi

[all|app|app-category]

stats on <DEVICE-OR-

DOMAIN-NAME>

Clears Deep Packet Inspection (DPI) statistics When enabled, DPI allows application and/or application category recognition. The DPI statistics are maintained by the system for every hit registered by the DPI engine. Use the following filter options to clear all or specific DPI statistics:

all Clears all DPI related (application and app-category) statistics app Clears only application related statistics app-category Clears only app-category related statistics Optional. Clears DPI statistics based on the parameters passed on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, controller, service platform, or RF Domain. service clear file-sync history {on <DOMAIN-NAME>}

clear file-sync history Clears client-bridge certificate synchronization statistics When an AP6522/AP6562 access point is configured as a client bridge, the EAP-TLS X.509 (PKCS#12) certificate is synchronized between the staging-controller and adoptee AP6522/AP6562 client-bridge access points. This command allows you to clear client-bridge certificate synchronization statistics. on <DOMAIN-NAME> Optional. Clears file synchronization history on all devices within a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. service clear captive-portal-page-upload history {on <DOMAIN-NAME>}

clear captive-portal-

page-upload history on <DOMAIN-NAME> Optional. Clears captive portal page upload history on a specified RF Domain Clears captive portal page upload history

<DOMAIN-NAME> Specify the RF Domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 17 COMMON COMMANDS service clear [command-history|reboot-history|upgrade-history|virtual-machine-

history] {on <DEVICE-NAME>}

clear [command-

history|reboot-history|

upgrade-history]

clear virtual-machine-

history on <DEVICE-NAME>

Clears command history, reboot history, or device upgrade history Clears virtual-machine history on the logged device or a specified device This command is applicable only on the NX9500 and NX9510 series service platforms. Optional. Clears history on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. When executing the clear virtual-machine-history command, provide the name of the service platform running the VMs. service clear noc statistics clear noc statistics Clears Network Operations Center (NOC) applicable statistics counters service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}

clear unsanctioned aps on <DEVICE-OR-

DOMAIN-NAME>

Clears the unsanctioned APs list Optional. Clears the unsanctioned APs list on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless [ap|client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

clear wireless

[ap|client] statistics Clears wireless statistics counters based on the parameters passed ap statistics Clears applicable AP statistics counters client statistics Clears applicable wireless client statistics counters

<MAC>

{on <DEVICE-OR-

DOMAIN-NAME>}

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. The following keywords are common to the ap and client parameters:

<MAC> Optional. Clears statistics counters for a specified AP or client. Specify the AP/client MAC address. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/client statistics counters on a specified device or RF Domain. Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless controller-mobility-database clear wireless controller-mobility-

database Clears the controller assisted mobility database service clear web-filter cache {on <DEVICE-NAME>}

clear web-filter cache Clears the cache used for Web filtering Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 18 COMMON COMMANDS on <DEVICE-NAME>

Optional. Clears the Web filtering cache on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>}

{(on <DEVICE-OR-DOMAIN-NAME>)}

clear wireless radio statistics

<MAC/HOSTNAME>

<1-3>

Clears applicable wireless radio statistics counters Optional. Specify the MAC address or hostname of the radio, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.

<1-3> Optional. Specify the radio interface index, if not specified as part of the radio ID. on <DEVICE-OR-

DOMAIN-NAME>

Optional. This is a recursive parameter, which clears wireless radio statistics on a specified device or RF Domain. Specify the name of the device.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

clear wireless wlan statistics

<WLAN-NAME>

on <DEVICE-OR-

DOMAIN-NAME>

Clears WLAN statistics counters Optional. Clears statistics counters on a specified WLAN. Specify the WLAN name. Optional. This is a recursive parameter, which clears WLAN statistics on a specified device or RF Domain. Specify the name of the device.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear xpath requests {<1-100000>}

clear xpath requests

<1-100000>

Clears XPATH related information Clears pending XPATH get requests Optional. Specifies the session number (cookie from show sessions)

<1-100000> Specify the session number from 1 - 100000. Note: Omits clearing the current sessions pending XPATH get requests. service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-

8] {grid}

cli-tables-skin

[ansi|hashes|minimal|

none|percent|stars|

thick|thin|uf-8]

Selects a formatting layout or skin for CLI tabular outputs ansi Uses ANSI characters for borders hashes Uses hashes (#) for borders minimal Uses one horizontal line between title and data rows none Displays space separated items with no decoration percent Uses the percent sign (%) for borders stars Uses asterisks (*) for borders thick Uses thick lines for borders Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 19 COMMON COMMANDS grid thin Uses thin lines for borders utf-8 Uses UTF-8 characters for borders Optional. Uses a complete grid instead of just title lines service cluster force [active|configured-state|standby]

cluster force active configured-state standby Enables cluster protocol management Forces action commands on a cluster (active, configured-state, and standby) Changes the cluster run status to active Restores a cluster to the configured state Changes the cluster run status to standby service database authentication create-user username <USER-NAME> password

<PASSWORD>

database authentication create-

user username <USER-

NAME> password

<PASSWORD>

Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Creates users having access rights to the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database. username <USER-NAME> Configures databse username password <PASSWORD> Configures a password for the username specified above In the database-policy ensure that authentication is enabled and username and password is configured. The database-client-policy also should have the same username and password configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy. database authentication delete-user username <USER-NAME>

database database authentication delete-

user username <USER-

NAME>

Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Deletes the username requires to access rights the captive-portal/NSight database username <USER-NAME> Deletes the username identified by the <USER-NAME>

keyword Once deleted, the database cannot be accessed using the specified combination of username and password. service database start-shell database start-shell Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Starts the database shell service delete-offline-aps all delete-offline-aps all Deletes all off-line access points service delete-offline-aps offline-for days <0-999> {time <TIME>}

delete-offline-aps Deletes off-line access points for a specified interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 20 COMMON COMMANDS day <0-999>

time <TIME>

Deletes off-line access points for a specified number of days

<0-999> Specify the number of off-line days from 0 - 999. Optional. Deletes off-line access points for a specified time

<TIME> Specify the time in HH:MM:SS format. service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}

force-send-config on <DEVICE-OR-

DOMAIN-NAME>

Resends configuration to device(s) Optional. Resends configuration to a specified device or all devices in a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service force-update-vm-stats {on <DEVICE-NAME>}

force-update-vm-stats Forcefully pushes VM statistics on to the NOC on <DEVICE-NAME>

Optional. Executes the command on a specified device

<DEVICE-NAME> Specify the name of the device. service guest-registration backup [delete|restore]

service guest-registration backup

[delete|restore]

Deletes or restores all guest registration backup snapshots based on the parameter passed delete Deletes all guest registration backup snapshots restores Restores all guest registration backup snapshots Note: To view the status of the restore process, use the service > show > guest-registration > restore-status command. service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-

NAME>|mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|

offline-for days <1-999>|wlan <WLAN-NAME>|otp-incomplete-for days <1-999>|

social [facebook|google]

service guest-registration delete

[all|email <EMAIL-

ADD>|group <RAD-

GROUP-NAME>|

mac <MAC>|mobile

<MOBILE-NUMBER>|

name <CLIENT-FULL-

NAME>]|non-social|

offline-for days

<1-999>|wlan <WLAN-

NAME>|otp-incomplete-

for days <1-999>|social

[facebook|google]

Deletes a specified user or all user records from the guest-registration database To delete a specific user, use one of the following options as an identification parameter: email, group, mac, mobile number, name, offline-for, wlan, otp-

incomplete-for, or social. Following are the user filtering options: The user identified by one of the following parameters is deleted from the guest-registration database. email <EMAIL-ADD> Identifies user by the e-mail address

<EMAIL-ADD> Provide the users e-mail address. mac <MAC> Identifies user by the MAC address

<MAC> Provide the users MAC address. group <RAD-GROUP-NAME> Identifies users by their RADIUS group association

<RAD-GROUP-NAME> Specify the RADIUS group name. mobile <MOBILE-NUMBER> Identifies user by the registered mobile number

<MOBILE-NUMBER> Provide the users mobile number. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 21 COMMON COMMANDS name <CLIENT-FULL-NAME> Identifies user by the registered full name

<CLIENT-FULL-NAME> Provide the users full name. non-social Identifies users that have not registered through social authentication offline-for days <1-999> Filters users who have not accessed the network for a specified number of days days <1-999> Specify the number of days from 1 - 999. wlan <WLAN-NAME> Identifies users accessing a specified WLAN

<WLAN-NAME> Specify the WLAN name. otp-incomplete-for days <1-999> Identifies records of users that have not used their one-time-password (OTP) to complete registration within a specified number of days days <1-999> Specify the number of days from 1 - 999. social [facebook|google] Identifies users using either Facebook or Google credentials to access the network facebook Identifies users using Facebook authentication google Identifies users using Google authentication service guest-registration export format [csv|json] <DEST-URL> {(rfdomain

<DOMAIN-NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-

NAME>)}

service guest-registration export format [csv|json]

<DEST-URL>

Exports guest registration user data files in the Comma-Separated Values (CSV) or JavaScript Object Notation (JSON) format Use the rfdomain, wlan, and time options to filter users for a specified RF Domain, WLAN, and/or time period. These are recursive parameters and you can apply all or any of these three filters. Specifies the file format. The options are:

csv Exports user data files in the CSV format json Exports user data files in the JSON format Configures the destination URL. The files are exported to the specified location. Both IPv4 and IPv6 address formats are supported. IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file rfdomain

<DOMAIN-NAME>

wlan

<WLAN-NAME>

Optional. Filters user data based on RF Domain name. Only the filtered data are exported.

<DOMAIN-NAME> Specify the RF Domain name. Optional. Filters user data based on WLAN name. Only the filtered data are exported.

<WLAN-NAME> Specify the WLAN name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 22 COMMON COMMANDS time [1-Day|1-Month|

1-Week|2-Hours|

30-Mins|5-Hours|all]

Optional. Filters user data for a specified time period. Only the filtered data are exported. 1-Day Filters and exports previous days data 1-Month Filters and exports previous months data 1-Week Filters and exports previous weeks data 2-Hours Filters and exports last 2 hours data 30-Mins Filters and exports last 30 minutes data 5-Hours Filters and exports last 5 hours data all Exports the entire database service guest-registration import format json <SOURCE-URL>

service guest-registration import format json

<SOURCE-URL>

Imports user data from a specified location Specifies the file format json Imports user data files in the JSON format Configures the Source URL. The files are imported from the specified location. Both IPv4 and IPv6 address formats are supported. IPv4 URLs:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file IPv6 URLs:

tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}

load-balancing clear-client-capability

[<MAC>|all]

on <DEVICE-NAME>

Enables wireless load balancing by clearing client capability records Clears a specified client or all clients capability records

<MAC> Clears capability records of a specified client. Specify the clients MAC address in the AA-BB-CC-DD-EE-FF format. all Clears the capability records of all clients Optional. Clears client capability records on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}

load-ssh-authorized-

keys

<PUBLIC-KEY>

on <DEVICE-NAME>

Loads SSH public (client) key on a device Enter the public key. The public key should be in the OpenSSH rsa/dsa format. Optional. Loads the specified public key on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 23 COMMON COMMANDS service locator {<1-60>} {(on <DEVICE-NAME>)}

locator

<1-60>

on <DEVICE-NAME>

Enables LEDs Sets LED flashing time from 1 - 60 seconds. The following keyword is recursive and common to the <1-60> parameter:

on <DEVICE-NAME> Optional. Enables LEDs on a specified device

<DEVICE-NAME> Specify name of the AP, wireless controller, or service plat-

form. service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]

Clears NSight data received from offline controllers, based on the parameters passed. Select one of the following options:

all Clears NSight data received from all offline controllers offline-for days <0-999> time <TIME> Clears NSight data received from controllers nsight clear-offline

[all|offline-for days <0-999>

{time <TIME>}]

that have been offline for a specified time period days <0-999> Specifies the number of days controllers have been offline

<0-999> Specify the number of days from 0 - 999 days. Select 0 to identify controllers offline less than 24 hours. time <TIME> Optional. Specifies the total time for which controllers have been offline

<TIME> Specify the time in HH:MM:SS format. Note: This command is applicable only to the NX95XX, NX9600, and VX9000 platforms. service radio <1-3> adaptivity radio <1-3>

adaptivity Configures radios parameters

<1-3> Specify the radio index from 1 - 3. Simulates the presence of interference on the current channel service radio <1-3> channel-switch <36-196> [160|20|40|80|80-80]

radio <1-3>

channel-switch

<36-196>

[160|20|40|80|

80-80]

Configures radios parameters

<1-3> Specify the radio index from 1 - 3. Enables channel switching

<36-196> Specifies the channel to switch to from 36 - 196. 160|20|40|80|80-80] Specifies the bandwidth for the above specified channel. Select the appropriate option. service radio <1-3> dfs simulate-radar [extension|primary]

radio <1-3>

dfs simulate-radar

[extension|primary]

Configures radios parameters

<1-3> Specify the radio index from 1 - 3. Enables Dynamic Frequency Selection (DFS) Simulates the presence of a radar on a channel. Select the channel type from the following options:

extension Simulates a radar on the radios current extension channel primary Simulates a radar on the radios current primary channel Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 24 COMMON COMMANDS service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-

NAME> ssid <SSID>} {(on <DEVICE-NAME>)}

radius test

[<IP>|<HOSTNAME>]

<WORD>

<USERNAME>

<PASSWORD>

wlan <WLAN-NAME>

ssid <SSID>

on <DEVICE-NAME>

Tests RADIUS servers account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients. test Tests the RADIUS servers account with user provided parameters Sets the RADIUS servers IP address or hostname

<IP> Specifies the RADIUS servers IP address

<HOSTNAME> Specifies the RADIUS servers hostname Specify the RADIUS servers shared secret. Specify username for authentication. Specify the password. Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name. ssid <SSID> Specify the local RADIUS servers SSID. Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME>

<PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}

radius test

[<IP>|<HOSTNAME>]

port <1024-65535>

<WORD>

<USERNAME>

<PASSWORD>

wlan <WLAN-NAME>

ssid <SSID>

on <DEVICE-NAME>

Tests a RADIUS servers account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients. test Tests the RADIUS servers account with user provided parameters Sets the IP address or hostname of the RADIUS server

<IP> Specify the RADIUS servers IP address.

<HOSTNAME> Specify the RADIUS servers hostname. Specify the RADIUS server port from 1024 - 65535. The default port is 1812. Specify the RADIUS servers shared secret. Specify username for authentication. Specify the password. Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name. ssid <SSID> Specify the RADIUS servers SSID. Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service set validation-mode [full|partial] {on <DEVICE-NAME>}

Sets the validation mode for running configuration validation set Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 25 COMMON COMMANDS validation-mode

[full|partial]

on <DEVICE-NAME>

Sets the validation mode full Performs a full configuration validation partial Performs a partial configuration validation Optional. Performs full or partial configuration validation on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show block-adopter-config-update show block-adopter-config-

update Displays running system statistics based on the parameters passed Displays NOC configuration blocking status service show captive-portal log-internal show captive-portal log-internal Displays running system statistics based on the parameters passed Displays captive portal information Displays recent captive portal debug logs (information and above severity level) service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}

show captive-portal servers user-cache on <DEVICE-NAME>

Displays running system statistics based on the parameters passed Displays captive portal information Displays server information for active captive portals Displays cached user details for a captive portal Optional. Displays server information or cached user details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show [cli|client-identity-defaults|configuration-revision|mac-user-

import-status|mac-vendor <OUI/MAC>|noc diag|snmp session|xpath-history]

Displays running system statistics based on the parameters passed Displays CLI tree of the current mode Displays default client-identities and their configuration show cli client-identity-

defaults configuration-revision Displays current configuration revision number mac-user-import-

status mac-vendor

<OUI/MAC>

Displays status of file import initiated by a MAC-user Displays vendor name for a specified MAC address or Organizationally Unique Identifier (OUI) part of the MAC address

<OUI/MAC> Specify the MAC address or its OUI. The first six digits of the MAC address is the OUI. Use the AABBCC or AA-BB-CC format to provide the OUI. noc diag snmp session xpath-history Displays NOC diagnostic details Displays SNMP session details Displays XPath history Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 26 COMMON COMMANDS service show [command-history|crash-info|info|mem|process|reboot-history|

startup-log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on

<DEVICE-NAME>}

show command-history crash-info info mem process reboot-history startup-log ssh-authorized-keys sysinfo top upgrade-history watchdog on <DEVICE-NAME>

Displays running system statistics based on the parameters passed Displays command history (lists all commands executed) Displays information about core, panic, and AP dump files Displays snapshot of available support information Displays a systems current memory usage (displays the total memory and available memory) Displays active system process information (displays all processes currently running on the system) Displays the devices reboot history Displays the devices startup log Displays all devices (device hostnames) that have ssh authorized keys loaded Displays systems memory usage information Displays system resource information Displays the devices upgrade history (displays details, such as date, time, and status of the upgrade, old version, new version, etc.) Displays the devices watchdog status The following keywords are common to all of the above:

on <DEVICE-NAME> Optional. Displays information for a specified device. If no device is specified, the system displays information for logged device(s)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-

DOMAIN-NAME>}

show ip-access-list wlan <WLAN-NAME>

status detail Displays status of IP Access Control List (ACL) to WLAN mappings on a specified device or all devices within a specified RF Domain. This command also displays if IP ACLs are properly applied in the dataplane. Specifies the WLAN, for which the IP ACL to WLAN mapping status is required

<WLAN-NAME> Specify the WLAN name. Displays only failed IP ACL to WLAN mappings details Optional. Displays all (failed as well as successful) IP ACL to WLAN mapping status on <DEVICE-OR-

DOMAIN-NAME>

Optional. Specifies the device name or the RF Domain name.

<DEVICE-OR-DOMAIN-NAME> Specify the device name or the RF Domain. When specified, the system displays IP ACL to WLAN mapping status on the specified device or all devices within the specified RF Domain. service show dhcp-lease {<INTERFACE-NAME>|on|pppoe1|vlan <1-4094>|wwan1} {(on

<DEVICE-NAME>)}

show dhcp-lease Displays running system statistics based on the parameters passed Displays DHCP lease information received from the server Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 27 COMMON COMMANDS

<INTERFACE-NAME>

on pppoe1 vlan <1-4094>

wwan1 on <DEVICE-NAME>

Optional. Displays DHCP lease information for a specified router interface

<INTERFACE-NAME> Specify the router interface name. Optional. Displays DHCP lease information for a specified device Optional. Displays DHCP lease information for a PPP over Ethernet interface Optional. Displays DHCP lease information for a VLAN interface

<1-4094> Specify a VLAN index from 1 - 4094. Optional. Displays DHCP lease information for a Wireless WAN interface The following keywords are common to all of the above:

on <DEVICE-NAME> Optional. Displays DHCP lease information for a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. service show diag [fds|pkts]

show diag fds pkts Displays diagnostic statistics, such as LED status, fan speed, sensor temperature, open file descriptors, looped packets etc. Displays the number of file descriptors (fds) opened by key processes, such as the CFGD. When executed, the command displays only the file name and FD. Displays details of looped packets captured by the dataplane and pushed to a separate queue. These queued packets are written to a log file (named loop_pkt_info.log) available at the /var2/log/ directory. Use the service > start-shell command and enter the path cat /var2/log/ to view if the loop_pkt_info.log file exists. However, looped packet logging has to be enabled in the profile/device context. For more information, see diag. The dataplane can log up to 16 looped packets at a time. Once the queue is full, no new loop packet is logged until the existing queue is cleared. To clear the logged looped packet queue execute the service > clear > diag > pkts command. Following are the loop codes and the corresponding loop reasons:

(5) - "pkt looping in dataplane"

(51) - "loop in packet path"

(367) - "wispe encapsulation loop"

(432) - "mcx loop prevention"

(532) - "Port loop detected"

(536) - "packet loop detected by wireless bridge"

(41) - "IPv4 TTL exceeded"

(493) - "IPv6 TTL exceeded"

(540) - "mint TTL exceeded"

service show diag [led-status|psu|stats] {(on <DEVICE-NAME>)}

show diag led-status psu Displays running system statistics based on the parameters passed Displays diagnostic statistics, such as LED status, fan speed, and sensor temperature Displays LED state variables and the current state Displays power supply information Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 28 COMMON COMMANDS stats on <DEVICE-NAME>

Displays fan speed and sensor temperature statistics Optional. Displays diagnostic statistics for a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show guest-registration [export-status|import-status|restore-status]

show guest-registration export-status import-status export-status Displays running system statistics based on the parameters passed Displays status of the guest-registration database snapshot related processes

(export, import, and restore) Note: To export, import, or restore a guest-registration database, use the service > guest-registration > [backup|export|import] command.]

Displays the status of the latest export process initiated Displays the status of the latest import process initiated Displays the status of the latest restore process initiated service show fast-switching {on <DEVICE-NAME>}

show fast-switching on <DEVICE-NAME>

Displays running system statistics based on the parameters passed Displays fast switching state (enabled or disabled) Optional. Displays fast switching state for a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show [fib|fib6] {table-id <0-255>}

show fib fib6 table-id <0-255>

Displays running system statistics based on the parameters passed Displays entries in the Forwarding Information Base (FIB) Displays FIB IPv6 static routing entries The WiNG software allows the IPv6 FIB to maintain only IPv6 static and interface routes. FIB is a collection of routing entries. A route entry consists of IPv6 network (which can also be a host) address, the prefix length for the network (for IPv6 routes this is between 0 - 128), and the next hops (gateway) IPv6 address. Since a destination can be reached through multiple next hops, you can configure multiple routes to the same destination with multiple next hops. Optional. Displays FIB information maintained by the system based on the table ID

<0-255> Specify the table ID from 0 - 255. service show mint [adopted-devices {on <DEVICE-NAME>}|ports]

show mint Displays running system statistics based on the parameters passed Displays MiNT protocol details Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 29 adopted-devices on <DEVICE-NAME>

ports show pm history on <DEVICE-NAME>

COMMON COMMANDS Displays adopted devices status in dpd2 on <DEVICE-NAME> Optional. Displays MiNT protocol details for a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Displays MiNT ports used by various services and features Displays running system statistics based on the parameters passed Displays the Process Monitor (PM) controlled process details Optional. Displays process change history (the time at which the change was implemented, and the events that triggered the change) Optional. Displays process change history for a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show pm {history} {(on <DEVICE-NAME>)}

service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-

DOMAIN-NAME>)}

show rf-domain-manager diag info Displays running system statistics based on the parameters passed Displays RF Domain manager information Displays RF Domain manager related diagnostics statistics The following keyword is common to the diag and info parameters:

Displays RF Domain manager related information

<MAC/HOSTNAME> Optional. Specify the MAC address or hostname of the RF Domain manager. on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is common to the diag and info parameters:

Optional. Displays diagnostics statistics on a specified device or domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service show sites show sites Displays running system statistics based on the parameters passed Displays NOC sites related information service show virtual-machine-history {on <DEVICE-NAME>}

show virtual-machine-

history on <DEVICE-NAME>

Displays virtual machine history based on the parameters passed This command is applicable only to the NX9500, and NX9510 series service platforms. It is also available on the Privilege Executable Mode of these devices. Optional. Displays virtual machine history on a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the service platform. service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|

radar-status|vlan-usage] {on <DEVICE-NAME>}

show Displays running system statistics based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 30 COMMON COMMANDS wireless aaa-stats adaptivity-status credential-cache dns-cache radar-status vlan-usage on <DEVICE-NAME>

Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN assignment, etc.) Displays AAA policy statistics Displays the current list of channels (with interference levels exceeding the configured threshold resulting in adaptivity kicking in) and time when adaptivity kicked in on a device Displays clients cached credentials statistics (VLAN, keys, etc.) Displays cache of resolved names of servers related to wireless networking Displays radar discovery status. This option displays following information:

If a radar has been discovered by the AP The time of discovery Displays VLAN statistics across WLANs The following keywords are common to all of the above:

on <DEVICE-NAME> Optional. Displays running system statistics on a specified device. If no device is specified, the system displays information for the logged device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. service show wireless [config-internal|log-internal|neighbors]

show wireless config-internal log-internal neighbors Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays internal configuration parameters Displays recent internal wireless debug logs (info and above severity) Displays neighboring device statistics for roaming and flow migration service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>}

{(on <DEVICE-OR-DOMAIN-NAME)}

show wireless client meshpoint neighbor proc info stats Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays WLAN client statistics Displays meshpoint related proc entries The following keyword is common to client and meshpoint neighbor parameters:

proc Displays dataplane proc entries based on the parameter selected Note: These proc entries provide statistics on each wireless client on the WLAN. Note: For the meshpoint parameter, it displays proc entries about neighbors. This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 31 COMMON COMMANDS

<MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays information for a specified device (wireless client or neighbor) or RF Domain This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service show wireless radio-internal [radio1|radio2] <LINE>

show wireless radio-internal

[radio1|radio2]

<LINE>

Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays radio internal debug logs. Select the radio from the following options:

radio1 Selects radio 1 radio2 Selects radio 2. Specify the radio internal debug command to enable. service show wireless reference [channels|frame|handshake|mcs-rates|reason-

codes|status-codes]

show wireless reference channels frame handshake mcs-rates reason-codes status-codes Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays look up reference information related to standards, protocols, etc. Displays 802.11 channels information Displays 802.11 frame structure Displays a flow diagram of 802.11 handshakes Displays MCS rate information Displays 802.11 reason codes (for deauthentication, disassociation, etc.) Displays 802.11 status codes (for association response) service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-

NAME)}

show wireless stats-client

<MAC/HOSTNAME>

on <DEVICE-OR-

DOMAIN-NAME>

Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays managed AP statistics Optional. Specify the MAC address or hostname of the AP. Optional. Displays statistics on a specified AP, or all APs on a specified domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

smart-rf clear-config Enables Smart RF management Clears WLAN Smart RF configuration on a specified device or on all devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 32 COMMON COMMANDS

<MAC>

<DEVICE-NAME>

Optional. Clears WLAN Smart RF configuration on a device identified by its MAC address. Specify the devices MAC address in the AA-BB-CC-DD-EE-FF format. Optional. Clears WLAN Smart RF configuration on a device identified by its hostname. Specify the devices hostname. on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. service smart-rf [clear-history|clear-interfering-aps|save-config] {on <DOMAIN-

NAME>}

smart-rf clear-history clear-interfering-aps save-config Enables Smart RF management Clears WLAN Smart RF history on all devices Clears Smart-RF interfering APs Saves the Smart RF configuration on all devices, and also saves the history on the RF Domain Manager on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. service snmp sysoid wing5 snmp sysoid wing5 Configures a new sysObjectID (sysoid), in the MIB, for devices running WiNG 5.X devices When configured, the SNMP manager returns sysoid for WiNG 5.X OS. Hardwares running the WiNG 4.X and WiNG 5.X images have different sysoids. For example, the sysoid for a RFS4000 using the WiNG 4.X image differs from another RFS4000 running the WiNG 5.X image. This command is applicable only to RFS4000 and RFS6000 platforms, since they have the same sysoid supported in WiNG 4.X and WiNG 5.X. The WiNG 4.X sysoids are:

RFS4000 1.3.6.1.4.1.388.18 RFS6000 1.3.6.1.4.1.388.16 The WiNG 5.X sysoids are:

RFS4000 1.3.6.1.4.1.388.50.1.1.35 RFS6000 1.3.6.1.4.1.388.50.1.1.36 service ssm dump-core-snapshot ssm dump-core-snapshot Triggers a debug core dump of the SSM module service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]} {(on <DEVICE-NAME>)}

syslog test Sends a test message to the syslog server to confirm server availability Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 33 COMMON COMMANDS level Optional. Sets the logging level. In case syslog server is unreachable, an event is logged based on the logging level defined. This is an optional parameter, and the system configures default settings, if no logging severity level is specified.

<0-7> Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:

alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4). This is the default setting. on <DEVICE-NAME>

Optional. Executes the command on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service ssm trace pattern <WORD> {on <DEVICE-NAME>}

ssm trace pattern <WORD>

on <DEVICE-NAME>

Displays the SSM module trace based on parameters passed Configures the pattern to match

<WORD> Specify the pattern to match. Optional. Displays the SSM module trace on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service wireless client beacon-request <MAC> mode [active|passive|table] ssid

[<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}

wireless client beacon-requests

<MAC>

mode

[active|passive|table]

ssid [<SSID>|any]

channel-report

[<CHANNEL-LIST>|

none]

on <DEVICE-NAME>

Sends beacon measurement requests to a wireless client Specify the wireless clients MAC address. Specifies the beacon measurement mode. The following modes are available:

Active Requests beacon measurements in the active mode Passive Requests beacon measurements in the passive mode Table Requests beacon measurements in the table mode Specifies if the measurements have to be made for a specified SSID or for any SSID

<SSID> Requests beacon measurement for a specified SSID any Requests beacon measurement for any SSID Configures channel report in the request. The request can include a list of channels or can apply to all channels.

<CHANNEL-LIST> Request includes a list of channels. The client has to send beacon measurements only for those channels included in the request none Request applies to all channels Optional. Sends requests on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 34 COMMON COMMANDS service wireless client quiet-element [start|stop]

wireless client quiet-element start stop Enables the quite-element information in beacons sent to wireless clients Enables the quite-element information in beacons sent to wireless clients. This is the interval for which all wireless clients are to remain quiet. Disables the quite-element information in beacons sent to wireless clients. Once disabled, this information is no longer included in beacons. service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535} {url

<URL>} {on <DEVICE-OR-DOMAIN-NAME>}

wireless client trigger-

bss-transition mac <MAC>

timeout <0-65535>

url <URL>

on

<DEVICE-OR-

DOMAIN-NAME>

Sends a 80211v-Wireless Network Management BSS transition request to a client Specifies the wireless clients MAC address Specifies the time remaining, for this client. before BSS transition is initiated. In other words on completion of the specified time period, BSS transition is triggered.

<0-65535> Specify a time from 0 -65535 seconds. Optional. Specifies session termination URL Optional. Sends request on a specified device

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service wireless client trigger-wnm mac <MAC> type [deauth-imminent|

subscription-remediation] {uri <WORD>}

wireless client trigger-wnm mac <MAC>

type [deauth-

imminent|

subscription-

remediation]

uri <WORD>

Sends a WNM notification (action frame) to a wireless client Specifies the wireless clients MAC address Configures the WNM notification type deauth-imminent Sends a de-authentication imminent frame subscription-remediation Sends a subscription remediation needed frame Optional. Specifies the unique resource identifier (URI) service wireless dump-core-snapshot wireless client dump-core-snapshot Triggers a debug core dump of the wireless module service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|

timeout <1-65535>}

service wireless meshpoint zl

<MESHPOINT-NAME>

on <DEVICE-NAME>

Triggers a zonal level debug of a specified meshpoints modules Specify the meshpoint name Triggers zonal level debug of a specified meshpoints modules on a specified device

<DEVICE-NAME> Specify the name of the device (AP, wireless controller, or service platform) Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 35 COMMON COMMANDS

<ARGS>

timeout <1-65535>

Optional. Specifies the zonal arguments. These zonal arguments represent the meshpoint modules identified by the zonal and subzonal arguments passed here. Also specify the debug level from 0 -7. Please see the Examples section, at the end of this topic, for more information. Optional. Specifies a timeout value from 1 - 65535 seconds. When specified, meshpoint logs are debugged for the time specified here. wireless qos delete-tspec

<MAC>

tid <0-7>

service wireless qos delete-tspec <MAC> tid <0-7>

Sends a delete TSPEC request to a wireless client Specify the MAC address of the wireless client. Deletes the Traffic Identifier (TID)

<0-7> Select the TID from 0 - 7. service wireless trace pattern <WORD> {on <DEVICE-NAME>}

wireless trace pattern <WORD>

on <DEVICE-NAME>

Displays the wireless module trace based on parameters passed Configures the pattern to match

<WORD> Specify the pattern to match. Optional. Displays the wireless module trace on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}

Enables unsanctioned access points termination wireless unsanctioned ap air-terminate

<MAC>

on <DOMAIN-NAME> Optional. Specifies the RD Domain of the access point Configures the unsanctioned access points BSSID (MAC address)

<DOMAIN-NAME> Specify the name of the RF Domain. service wireless wips clear-client-blacklist [all|mac <MAC>]

wireless wips clear-client-blacklist

[all|mac <MAC>]

Enables management of WIPS parameters Removes a specified client or all clients from the blacklist all Removes all clients from the blacklist mac <MAC> Removes a specified client form the blacklist

<MAC> Specify the wireless clients MAC address. service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME}

wireless wips clear-event-history on <DEVICE-OR-

DOMAIN-NAME>

Enables WIPS management Clears event history Optional. Clears event history on a device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 36 Syntax (Privilege Exec Mode) COMMON COMMANDS NOTE: The service command of the Priv Exec Mode is the same as the service command in the User Exec Mode. There a few modifications that have been documented in this section. For the syntax and parameters of the other commands refer to the (User Exec Mode) syntax and (User Exec Mode) parameters sections of this chapter. service service [block-adopter-config-updates|clear|cli-tables-skin|cluster|copy|

database|delete|delete-offline-aps|force-send-config|force-update-vm-stats|

guest-registration|load-balancing|locator|mint|pktcap|pm|radio|radius|

request-full-config-from-adopter|restore|set|show|signal|smart-rf|snmp|ssm|

start-shell|syslog|trace|wireless]

service clear crash-info {on <DEVICE-NAME>}

service copy [stats-report|tech-support]

service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>) service copy tech-support [<FILE>|<URL>]

service database [authentication|compact|drop|maintenance-mode|primary-stepdown|

remove-all-files|replica-set|server|start-shell]

service database authentication [create-user|delete-user]

service database authentication create-user username <USER-NAME> password

<PASSWORD>

service database authentication delete-user username <USER-NAME>

service database compact [all|captive-portal|nsight]

service database drop [captive-portal|nsight] collection <COLLECTION-NAME>

service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]

service database replica-set [add|delete]

service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]

service database replica-set delete member [<IP>|<FQDN>]

service database server [restart|start|stop]

service delete sessions <SESSION-COOKIES>

service mint [clear|debug-log|expire|flood]

service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]|expire

[lsp|spf]|flood [csnp|lsp]]

service pktcap on [bridge|deny|drop|ext-vlan|interface|radio|rim|router|vpn|

wireless]

service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name

<ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate

<1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}

service pktcap on interface [<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|

pppoe1|vlan <1-4094>|wwan1] {(acl-name <ACL>,count <1-1000000>,direction

[any|inbound|outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump, verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 37 COMMON COMMANDS service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>, direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>, snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}

service pm stop {on <DEVICE-NAME>}

service restore analytics-support [<FILE>|<URL>]

service show last-passwd service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]

service start-shell service trace <PROCESS-NAME> {summary}

Parameters (Privilege Exec Mode) service service copy tech-support [<FILE>|<URL>]

copy tech-support

<FILE>

<URL>

Copies extensive system information used for troubleshooting Specify the location to copy file using the following format:

usbX:/path/file Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>) copy stats-report

[global|rf-domain

<DOMAIN-NAME>]

<FILE>

<URL>

Copies extensive statistical data useful for troubleshooting Identifies the RF Domain to copy statistical data global Copies extensive statistical data of all configured RF Domains rf-domain <DOMAIN-NAME> Copies extensive statistical data of a specified RF Domain. Specify the domain name. Specify the location to copy file using the following format:

usbX:/path/file Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file service clear crash-info {on <DEVICE-NAME>}

clear crash-info on <DEVICE-NAME>

Clears all crash files Optional. Clears crash files on a specified device. These crash files are core, panic, and AP dump.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 38 COMMON COMMANDS service database authentication create-user username <USER-NAME> password

<PASSWORD>

database database authentication create-

user username <USER-

NAME> password

<PASSWORD>

Performs captive-portal/NSight database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Creates the username and password required to access the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database. username <USER-NAME> Configures a database username password <PASSWORD> Configures a password for the username created above In the database-policy context, enable authentication and configure this username and password. The database-client-policy also should have the same user credentials configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy. database authentication delete-user username <USER-NAME>

database database authentication delete-

user username <USER-

NAME>

Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Deletes existing users having access rights to the database username <USER-NAME> Identifies the user to delete by the username

<USER-NAME> Specify the user name. Once deleted, the database cannot be accessed using the specified combination of username and password. service database compact [all|captive-portal|nsight]

database compact [all|

captive-portal|nsight]

Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Compacts collections within the database. Each database (captive-portal and NSight) contains one or more collection, where each collection is a set of records. Use this command to make a single compact set of all collections within a database. all Compacts collections within all databases (captive-portal and NSight) being maintained captive-portal Compacts all collections within the captive portal database only nsight Compacts all collections within the NSight database only service database drop [captive-portal|nsight] collection <COLLECTION-NAME>

database Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 39 COMMON COMMANDS drop

[captive-portal|nsight]

collection

<COLLECTION-NAME>

Drops the specified collection from the selected database. Select the database type and specify the collection. captive-portal Drops a captive portal database collection nsight Drops an NSight database collection The following keyword is common to both the captive-portal and NSight databases:

collection <COLLECTION-NAME> Drops the collection identified by the <COL-

LECTION-NAME> parameter.

<COLLECTION-NAME> Specify the collection name. service database [maintenance-mode|primary-stepdown|remove-all-files|start-

shell]

database maintenance-mode primary-stepdown remove-all-files start-shell Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Places the database server in the maintenance mode Requests the primary replica-set to step down. For more information on replica-sets and its creation, see database-policy. Removes all database-server related files (captive-portal and NSight). Use in a scenario where complete removal of all database related files is necessary, such as when downgrading to 5.8.1 or 5.8.0 version. Extreme caution is recommended when using this command. Starts the database shell service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]

database replica-set add member

[<IP>|<FQDN>]

Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Adds members to the database replica set. A replica set is a group of devices running the database instances that maintain the same data set. Replica sets provide redundancy and high availability, and are the basis for all production deployments. The replica set can contain a maximum of fifty (50) members, with each member

(with the exception of the arbiter) hosting an instance of the database. For more information on creating replica sets, see database-policy. Adds members to the database replica set

<IP> Identifies the member by its IP address. Specify the members IP address.

<FQDN> Identifies the member by its Fully Qualified Domain Name (FQDN). Specify the members FQDN address. Note: Ensure that the identified members have the database instance running prior to being added to the replica set. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 40 COMMON COMMANDS

[arbiter|

priority <0-255>]

After identifying the new member, optionally specify if the member is the arbiter or not. If not the arbiter, specify the members priority value. arbiter Identifies the new member as the arbiter. The arbiter does not maintain a data set and is added to the replica set to facilitate the election of the fall-back primary member. It provides that one extra vote required in the election of the primary member. priority <0-255> Identifies the new member as not being the arbiter and configures its priority value.

<0-255> Specify the priority value from 0 - 255. Not applicable for the arbiter. The priority value determines the members position within the replica set as primary or secondary. It also helps in electing the fall-back primary member in the eventuality of the current primary member being unreachable. All identified members should have the database instances running prior to being added to the replica set. service database replica-set delete member [<IP>|<FQDN>]

database replica-set delete member

[<IP>|<FQDN>]

Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Allows deletion of members in a database replica set. For each database a single three-member replica-set can be created and maintained. For more information on creating replica sets, see database-policy. Deletes members from an existing database replica set

<IP> Identifies the member by its IP address. Specify the members IP address.

<FQDN> Identifies the member by its FQDN. Specify the members FQDN address. service database server [restart|start|stop]

database server

[restart|start|stop]

Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Performs the following actions on the database server:

restart Restarts the server start Starts the server stop Stops the server service delete sessions <SESSION-COOKIES>

delete sessions

<SESSION-COOKIES>

Deletes session cookies

<SESSION-COOKIES> Provide a list of cookies to delete. service mint [clear [lsp-dp|mlcp]|debug-log [flash-and-syslog|flash-only]|

expire [lsp|spf]|flood [csnp|lsp]]

mint clear [lsp-dp|mlcp]

Enables MiNT protocol management (clears LSP database, enables debug logging, enables running silence, etc.) Clears LSP database and MiNT Link Control Protocol (MLCP) links lsp-dp Clears MiNT Label Switched Path (LSP) database mlcp Clears MLCP links Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 41 COMMON COMMANDS debug-log

[flash-and-syslog|

flash-only]

expire [lsp|spf]

flood [csnp|lsp]

Enables debug message logging flash-and-syslog Logs debug messages to the flash and syslog files flash-only Logs debug messages to the flash file only Forces expiration of LSP and recalculation of Shortest Path First (SPF) lsp Forces expiration of LSP spf Forces recalculation of SPF Floods control packets csnp Floods our Complete Sequence Number Packets (CSNP) lsp Floods our LSP service pm stop {on <DEVICE-NAME>}

pm stop on <DEVICE-NAME>

Stops the Process Monitor (PM) Stop the PM from monitoring all daemons Optional. Stops the PM on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless]

{(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter,hex, rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-

HOSTNAME>])}

pktcap on bridge deny drop ext-vlan rim router vpn wireless acl-name <ACL>

count <1-1000000>

direction

[any|inbound|

outbound]

Captures data packets crossing at a specified location on Defines the packet capture location Captures packets transiting through the Ethernet bridge Captures packets denied by an Access Control List (ACL) Captures packets at the drop locations Captures packets forwarded to or from an extended VLAN Captures packets at the Radio Interface Module (RIM) Captures packets transiting through an IP router Captures packets forwarded to or from a VPN link Captures packets forwarded to or from a wireless device Optional. Specify the ACL that matches the acl-name for the 'deny' location Optional. Limits the captured packet count. Specify a value from 1 -1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 42 COMMON COMMANDS Optional. Filters packets based on the option selected (must be used as a last option) The filter options are:

<LINE> Defines user defined packet capture filter arp Matches ARP packets capwap Matches CAPWAP packets cdp Matches CDP packets dot11 Matches 802.11 packets dropreason Matches packet drop reason dst Matches IP destination ether Matches Ethernet packets failed Matches failed 802.11 transmitted frames host Matches host destination icmp Matches ICMP packets icmp6 Matches ICMPv6 frames ip Matches IPV4 packets ipv6 Matches IPV6 packets l2 Matches L2 header l3 Matches L3 header l4 Matches L4 header mint Matches MiNT packets lldp Matches LLDP packets net Matches IP in subnet not Filters out any packet that matches the filter criteria (For example, if not TCP is used, all tcp packets are filtered out) port Matches TCP or UDP port priority Matches packet priority radio Matches radio rssi Matches Received Signal Strength Indication (RSSI) of received radio signals src Matches IP source stp Matches STP packets tcp Matches TCP packets tcp6 Matches TCP over IPv6 packets udp Matches UDP packets udp6 Matches UDP over IPv6 packets vlan Matches VLAN wlan Matches WLAN Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate

<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length

<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes tcpdump. The tcpdump analyzes network behavior, performance, and infrastructure. It also analyzes applications that generate or receive traffic. filter

[<LINE>|arp|capwap|c dp|dot11|dropreason|d st|ether|failed|host|icm p|icmp6|igmp|ip|ipv6|l 2|l3|l4|lldp|mint|net|no t|port|priority|radio|rss i|src|stp|tcp|tcp6|udp|

udp6|vlan|wlan]

hex rate <1-100>

snap <1-2048>

tcpdump Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 43 COMMON COMMANDS verbose write Optional. Displays full packet body Captures packets to a specified file. Specify the location to capture file:

FILE flash:/path/file usbX:/path/file vram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp Tazman Sniffer Protocol (TZSP) host. Specify the TZSP hosts IP address or hostname. service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>, direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap

<1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}

pktcap on radio

<1-1024>

all acl-name <ACL>

count <1-1000000>

direction

[any|inbound|

outbound]

filter <LINE>

hex rate <1-100>

snap <1-2048>

tcpdump verbose Captures data packets on a radio (802.11) Captures data packets on a specified radio

<1-1024> specify the radio index from 1 - 1024. Captures data packets on all radios Optional. Specify the ACL that matches the ACL name for the 'deny' location Optional. Sets a specified number of packets to capture

<1-1000000> Specify a value from 1 - 1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Optional. Filters packets based on the option selected (must be used as a last option)

<LINE> Define a packet capture filter or select any one of the available options. Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate

<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length

<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes the TCP dump Optional. Provides verbose output Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 44 COMMON COMMANDS write Captures packets to a specified file. Specify the location to capture file:

FILE flash:/path/file usbX:/path/file nvram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp The TZSP host. Specify the TZSP hosts IP address or hostname. service pktcap on interface [<INTERFACE>|ge <1-4>|me|port-channel <1-2>|vlan

<1-4094>] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound], filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp

<IP/TZSP-HOSTNAME>])}

pktcap on interface

[<INTERFACE>|

ge <1-4>|me1|

port-channel <1-2>|

vlan <1-4094>]

acl-name <ACL>

count <1-1000000>

direction

[any|inbound|

outbound]

filter <LINE>

hex rate <1-100>

snap <1-2048>

tcpdump verbose Captures data packets at a specified interface on Specify the capture location. Captures packets at a specified interface. The options are:

<INTERFACE> Specify the interface name. ge <1-4> Selects a GigabitEthernet interface index from 1 - 4 me1 Selects the FastEthernet interface port-channel <1-2> Selects a port-channel interface index from 1- 2 vlan <1-4094> Selects a VLAN ID from 1 - 4094 Optional. Specify the ACL that matches the ACL name for the 'deny' location Optional. Sets a specified number of packets to capture

<1-1000000> Specify a value from 1 - 1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Optional. Filters packets based on the option selected (must be used as a last option)

<LINE> Define a packet capture filter or select any one of the available options. Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate

<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length

<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes the TCP dump Optional. Provides verbose output Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 45 COMMON COMMANDS write Captures packets to a specified file. Specify the location to capture file:

FILE flash:/path/file usbX:/path/file nvram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp The TZSP host. Specify the TZSP hosts IP address or hostname. service show last-passwd show last-passwd Displays running system statistics based on the parameters passed Displays the last password used to enter shell service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]

signal abort kill Sends a signal to a process tech-support Copies extensive system information useful for troubleshooting Sends an abort signal to a process, and forces it to dump to core

<PROCESS-NAME> Specify the process name. Sends a kill signal to a process, and forces it to terminate without a core

<PROCESS-NAME> Specify the process name. service start-shell start-shell Provides shell access service trace <PROCESS-NAME> {summary}

trace

<PROCESS-NAME>

summary Traces a process for system calls and signals Specifies the process name Optional. Generates summary report of the specified process Syntax (Privilege Exec Mode: NX9500 and NX9510) service The following service commands are specific to the NX9500 and NX9510 series service platforms:

service copy analytics-support [<FILE>|<URL>]

Parameters (Privilege Exec Mode: NX9500 and NX9510) service copy analytics-support [<FILE>|<URL>]

copy analytics-

support

<FILE>

Enables copying of analytics information to a specified. Use one of the following options to specify the file:

This information is useful to troubleshoot issues by the Technical Support team. Specify the file name and location using one of the following formats:

usb1:/path/file usb2:/path/file Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 46 COMMON COMMANDS

<URL>

Usage Guidelines Specify the location URL to copy file. Both IPv4 and IPv6 formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file The NX9500 and NX9510 model service platforms (NOC) provide granular and robust analytic reporting for a RFS4000 or RFS6000 device managed network. The data analyzed is collected at intervals specified by the administrator. To enable data analytics, procure and apply a separate hot spare analytics license at the NOC. The license restricts the number of access point streams processed at the NOC or forwarded to partner systems for further processing. The analytics feature can be turned on at select APs by enabling them in configuration. This way the customer can enable analytics on a select set of APs and not the entire system as long as the number of APs on which it is enabled is less than or equal to the total number of AP analytics licenses available at the NOC controller. In an NOC managed network, the analytics engine parses and processes Smart RF events as they are received. The analytics engine parses the new channel and power information from the Smart RF event, as opposed to retrieving the event from the devices themselves. Syntax (Global Config Mode) service service [set|show cli]

service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-

100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}

service show cli Parameters (Global Config Mode) service set [command-history <10-300>|upgrade-history <10-100>|reboot-history

<10-100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}

set command-history

<10-300>

upgrade-history

<10-100>

reboot-history

<10-100>

virtual-machine-

history <10-200>

Sets the size of history files Sets the size of the command history file

<10-300> Specify a value from 10 - 300. The default is 200. Sets the size of the upgrade history file

<10-100> Specify a value from 10 - 100. The default is 50. Sets the size of the reboot history file

<10-100> Specify a value from 10 - 100. The default is 50. Sets the size of the virtual-machine history file

<10-200> Specify a value from 10 - 200. The default is 100. This command is applicable only to the NX9500 and NX9510 series service platforms. Use the no > service > set > virtual-machine-history > {on <DEVICE-NAME>}

command to revert the history file size to 100. on <DEVICE-NAME> Optional. Sets the size of history files on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 47 COMMON COMMANDS service show cli show cli Displays running system configuration details cli Displays the CLI tree of the current mode Example rfs6000-81742D>service show cli Command mode: +-do

+-help [help]

+-search

+-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]

+-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]

+-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]

+-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]

+-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]

+-show

+-commands [show commands]

+-adoption

+-log

+-adoptee [show adoption log adoptee(|on DEVICE-NAME)]

+-on

+-DEVICE-NAME [show adoption log adoptee(|on DEVICE-NAME)]

+-adopter [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-

NAME)]

+-mac

+-AA-BB-CC-DD-EE-FF [show adoption log adopter (|mac AA-BB-CC-DD-EE-

FF)(|on DEVICE-NAME)]

+-on

+-DEVICE-NAME [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)]

--More--

rfs6000-81742D>

rfs6000-81742D#service signal abort testprocess Sending an abort signal to testprocess rfs6000-81742D#

nx9500-6C8809*#service show crash-info

--------------------------------------------------------------------------------

CRASH FILE SIZE LAST MODIFIED

--------------------------------------------------------------------------------

cfgd.log_NX9500_5.9.0.0-014D.error.1 8369 Tue Apr 12 03:54:54 2017

--------------------------------------------------------------------------------

nx9500-6C8809*#

rfs6000-81742D#service show command-history Configured size of command history is 200 Date & Time User Location Command

=====================================================================

Apr 12 09:31:41 2017 admin 192.168.13.10 22 rf-domain test Apr 11 03:00:56 2017 admin 192.168.13.10 93 reload force Apr 11 03:00:35 2017 admin 192.168.13.10 93 write memory Apr 11 03:00:31 2017 admin 192.168.13.10 93 commit Apr 11 03:00:24 2017 admin 192.168.13.10 93 no cluster name Apr 10 21:29:50 2017 admin 192.168.13.10 93 commit Apr 10 21:29:48 2017 admin 192.168.13.10 93 use rf-domain TechPubs Apr 10 21:29:44 2017 admin 192.168.13.10 93 self Apr 10 21:29:40 2017 admin 192.168.13.10 93 write memory Apr 10 21:29:34 2017 admin 192.168.13.10 93 commit Apr 10 21:29:27 2017 admin 192.168.13.10 93 use license WEBF Apr 10 21:29:27 2017 admin 192.168.13.10 93 controller-managed Apr 10 21:29:27 2017 admin 192.168.13.10 93 control-vlan 1

--More--

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 48 COMMON COMMANDS rfs6000-81742D#service show diag stats fan 1 (fan 1) current speed: 0 min_speed: 2000 hysteresis: 250 fan 2 (fan 2) current speed: 10320 min_speed: 2000 hysteresis: 250 fan 3 (fan 3) current speed: 10620 min_speed: 2000 hysteresis: 250 fan 4 (fan 4) current speed: 10740 min_speed: 2000 hysteresis: 250 Sensor 1 (upwind of CPU) Temperature 31.0 C Sensor 2 (CPU die) Temperature 47.0 C Sensor 3 (left side) Temperature 37.0 C Sensor 4 (by FPGA) Temperature 31.0 C Sensor 5 (front right) Temperature 30.0 C Sensor 6 (front left) Temperature 31.0 C rfs6000-81742D#

rfs6000-81742D#service show info 7.7M out of 8.0M available for logs. 32.9M out of 34.0M available for history. 20.4M out of 84.0M available for crashinfo. List of Files:

adopts.log 1.7K Apr 12 11:20 anald.log 1.1K Apr 12 11:20 cfgd.log 48.8K Apr 12 12:35 dpd2.log 40.1K Apr 12 12:07 messages.log 22.4K Apr 12 12:27 startup.log 6.0K Apr 11 09:08 upgrade.log 60.9K Apr 12 11:40 vlan-usage.log 0 Apr 12 12:18 command.history 10.5K Apr 12 09:31 reboot.history 1.1K Apr 11 09:07 ugrade.history 116 Apr 11 09:05 Please export these files or delete them for more space. rfs6000-81742D#

rfs6000-81742D#service show mac-vendor B4-C7-99-6C-88-09 B4-C7-99 : Extreme Networks rfs6000-81742D#

nx9500-6C8809>service show upgrade-history Configured size of upgrade history is 50 Date & Time Old Version New Version Status Date & Time Old Version New Version Status

=====================================================================

Apr 11 07:57:33 2017 5.9.0.0-012D 5.9.0.0-014D Successful Mar 30 15:00:48 2017 5.9.0.0-010D 5.9.0.0-012D Successful Mar 22 13:35:20 2017 5.9.0.0-009D 5.9.0.0-010D Successful Mar 22 11:54:25 2017 5.8.6.0-010R 5.9.0.0-009D Successful Feb 21 08:40:22 2017 5.8.6.0-009R 5.8.6.0-010R Successful Feb 21 08:22:45 2017 5.8.6.0-009R 5.8.6.0-009R Failure in openssl. Verification failure. Feb 15 10:55:00 2017 5.8.6.0-007B 5.8.6.0-009R Successful Feb 15 10:45:40 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 15 10:45:07 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget:

unexpected server response to RETR: 550 LatestBuilds/W586/NX9000.img: The system cannot find the file specified. Feb 11 12:26:20 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 11 12:21:04 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 11 12:20:34 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget:

bad address '1921.68.13.10'

---More--

nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 49 COMMON COMMANDS rfs6000-81742Drfs6000-81742D#service show wireless reference reason-codes CODE DESCRIPTION 0 Success 1 Unspecified Reason 2 Previous authentication no longer valid 3 Deauth because sending STA is leaving IBSS or ESS 4 Disassoc due to inactivity 5 Disassoc because AP is unable to handle all currently assoc STA 6 Class 2 frame received from non-authenticated STA 7 Class 3 frame received from nonassociated STA 8 Disassoc because STA is leaving BSS 9 STA requesting association is not authentication with corresponding STA 10 Disassoc because info in the power capability elem is unacceptable

--More--

rfs6000-81742D#

rfs6000-81742D#service show wireless reference status-codes CODE DESCRIPTION 0 Successful 1 Unspecified failure 2-9 Reserved 10 Cannot support all requested capabilities in the Capability Information field 11 Reassociation denied due to inability to confirm that association exists 12 Association denied due to reason outside the scope of this standard 13 Responding STA does not support the specified authentication algorithm 14 Received an auth frame with authentication transaction seq number out of expected sequence 15 Authentication rejected because of challenge failure

--More--

rfs6000-81742D#

nx9500-6C8809>service show wireless config-internal

! Startup-Config-Playback Completed: Yes no debug wireless country-code in nx9500-6C8809>

nx9500-6C8809>service show wireless log-internal 08:16:45.901: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:56:41.900: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:36:40.899: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:16:32.898: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:56:31.898: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:36:24.897: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:16:22.897: wlan:Starting credcache checkup/sync (credcache.c:1536) 05:56:18.896: wlan:Starting credcache checkup/sync (credcache.c:1536) 05:16:09.895: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:56:01.894: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:35:58.893: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:34:41.63: config:commit done in cfgd (config.c:5382) 04:15:55.893: wlan:Starting credcache checkup/sync (credcache.c:1536) 03:55:54.891: wlan:Starting credcache checkup/sync (credcache.c:1536) 03:20:30.397: config:commit done in cfgd (config.c:5382) 03:19:50.188: config:commit done in cfgd (config.c:5382)

--More--

nx9500-6C8809>

nx9500-6C8809#service show xpath-history

********************************************************************************

************************************************************

* DATE&TIME * USER * XPATH

* DURATION(MS)*

********************************************************************************

************************************************************

* Wed Apr 12 12:45:28 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-

6C-88-09/_internal/feature_license_request * 0 *

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 50 COMMON COMMANDS

* Wed Apr 12 12:45:24 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-

6C-88-09/_internal/feature_license_request * 0 *

* Wed Apr 12 12:45:13 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-

6C-88-09/_internal/feature_license_request * 0 *

* Wed Apr 12 12:45:02 2017 * system * wing-stats/device/B4-C7-99-

6C-88-09/_internal/feature_license_request * 0 *

--More--

nx9500-6C8809#

The following example shows the service > show > virtual-machine-history output on a NX9500 service platform:

nx9500-6C874D>service show virtual-machine-history Configured size of virtual machine history is 100 Date & Time Virtual Machine Event

=====================================================

Jan 16 05:39:46 2017 Domain-0 autostart Jan 10 03:47:09 2017 Domain-0 autostart Jan 02 05:53:48 2017 Domain-0 autostart Dec 27 10:52:59 2016 Domain-0 autostart Oct 14 05:56:14 2016 Domain-0 autostart Oct 14 03:01:48 2016 Domain-0 autostart Oct 12 04:11:52 2016 Domain-0 autostart Sep 30 04:41:08 2016 Domain-0 autostart

--More--

nx9500-6C874D>

rfs4000-229D58#service show fib6

-------------------------------------------------------------------------------

Route Table ID : 254

::1/128 Next Hop: :: Interface: lo Route Type: ROUTE_TYPE_CONNECT Route Status: ROUTE_STATUS_KERNEL Metric: 0 Distance: 0 fe80::/64 Next Hop: :: Interface: vlan2 Route Type: ROUTE_TYPE_CONNECT Route Status: ROUTE_STATUS_KERNEL Metric: 256 Distance: 0 2001::/64 Next Hop: 2001::6 Interface: Route Type: ROUTE_TYPE_STATIC Route Status: ROUTE_STATUS_PENDING Metric: 256 Distance: 1 rfs4000-229D58#

Examples for the service > wireless > meshpoint command. The following example displays meshpoint modules:

ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C

| SUBZONE

| 0 1 2 3 4 5 6 7

-------+-----------------------------------------

ZONE |

| GEN TX RX BEA TXF 2-LLC | 0 0 0 0 0

| GEN TX RX NBR LQM LSA 3-ND | 0 0 0 0 0 0

| GEN 4-ORL | 0

| GEN TX RX HEL PRO 5-LQ | 0 0 0 0 0

| GEN 6-PS | 0

| GEN ROOT NBR REC 7-RS | 0 0 0 0

| GEN 8-IA | 0

| GEN SET GET 11-MGT | 0 0 0

| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 0 0 0 0 0 0 0 0 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 51 COMMON COMMANDS

| GEN SCAN TRIG 14-ACS | 0 0 0

| GEN 15-EAP | 0

| GEN 16-L2P | 0 ROOT1-ap81xx-71174C#

In the preceding example, The meshpoint name is mesh_root The device on which the command is executed is ROOT1-ap81xx-71174C The vertical ZONE column represents meshpoint modules. For example, 3-ND presents the Neighbor Discovery module. The SUBZONE 0 to 7 represents the available processes for each of the zonal modules. Debugging is disabled for all modules for the mesh-root meshpoint. A value of 0 (Zero) represents debugging disabled. To enable meshpoint module debugging, specify the module number and the process number separated by a period (.). And then specify the debugging level from 0 - 7. ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 3.2 7 In the preceding command, The meshpoint module number provided is 3 (ND) The process number provided is 2 (RX - Received signals from neighbors) The debugging level provided is 7 (highest level - warning) ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C

| SUBZONE

| 0 1 2 3 4 5 6 7

-------+-----------------------------------------

ZONE |

| GEN TX RX BEA TXF 2-LLC | 0 0 0 0 0

| GEN TX RX NBR LQM LSA 3-ND | 0 0 7(D) 0 0 0

| GEN 4-ORL | 0

| GEN TX RX HEL PRO 5-LQ | 0 0 0 0 0

| GEN 6-PS | 0

| GEN ROOT NBR REC 7-RS | 0 0 0 0

| GEN 8-IA | 0

| GEN SET GET 11-MGT | 0 0 0

| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 0 0 0 0 0 0 0 0

| GEN SCAN TRIG 14-ACS | 0 0 0

| GEN 15-EAP | 0

| GEN 16-L2P | 0 ROOT1-ap81xx-71174C#

In the preceding example, level 7 debugging has been enabled only for the ND modules received signals. Note that debugging for all other modules and processes are still disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 52 COMMON COMMANDS To disable debugging for all modules, specify 0 (zero) in the command. For example:

ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 0 To enable debugging for all modules, specify the debugging level number. For example:

ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 5 ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C

| SUBZONE

| 0 1 2 3 4 5 6 7

-------+-----------------------------------------

ZONE |

| GEN TX RX BEA TXF 2-LLC | 5(N) 5(N) 5(N) 5(N) 5(N)

| GEN TX RX NBR LQM LSA 3-ND | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)

| GEN 4-ORL | 5(N)

| GEN TX RX HEL PRO 5-LQ | 5(N) 5(N) 5(N) 5(N) 5(N)

| GEN 6-PS | 5(N)

| GEN ROOT NBR REC 7-RS | 5(N) 5(N) 5(N) 5(N)

| GEN 8-IA | 5(N)

| GEN SET GET 11-MGT | 5(N) 5(N) 5(N)

| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)

| GEN SCAN TRIG 14-ACS | 5(N) 5(N) 5(N)

| GEN 15-EAP | 5(N)

| GEN 16-L2P | 5(N) ROOT1-ap81xx-71174C#

rfs4000-1BE644#service show ssh-authorized-keys

'extreme@extreme-quadcore'

rfs4000-1BE644#

rfs4000-1BE644#service load-ssh-autorized-keys "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPERY9aTibRYlFMnERTYP2iyylJ00YElxjUElY7Zm9Ky2yeSmg 15UKerJ+IP161Gdm0AoEfXyeheRntK+Z6NWHa341RWJ0UrQMcp7hSEE5jbDpLKJOuEoW22Ag45BZzMV7 EnM7lHowboNsQhSzX5uBBlVViWlBxBqDroX4BcuB/

CFugezHTt95UQ2ZRUfHvePS6jQdOArf1alwk0Slcsz4HNSl5KDutJ4VY+6vRvlf5Gy/

3GNehMwNsmsRKK4UVKV5RpuuKIjkbZE+goPFAKYVPNmZngjaOyDfvNGE7JIwmYlti/

AId6tv2zAbM4qSomWAgUOO0hkXS9m4m74FnHPr extreme@extreme-quadcore"

Successfully added the ssh key rfs4000-1BE644#

rfs4000-1BE644#no service load-ssh-autorized-keys rfs4000-1BE644 Successfully removed the ssh key rfs4000-1BE644#

nx9500-6C8809#service show diag fds Process open fds cfgd 86 nx9500-6C8809#

nx9500-6C8809#service show diag pkts Date: 11-4-2016, Time: 8:41:08.501033, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 53 COMMON COMMANDS Loop reason: Unknown(540) TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes Date: 11-4-2016, Time: 8:41:08.707631, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Loop reason: Unknown(540) TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes Date: 11-4-2016, Time: 8:41:08.830963, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Loop reason: Unknown(540) TRUNCATED BB-7C-4D-83-30-A4 > 10-01-00-42-68-99 at 64 bytes

--More--

nx9500-6C8809#

nx9500-6C8809#service clear diag pkts nx9500-6C8809#service show diag pkts nx9500-6C8809#

nx9500-6C8809#service show diag psu PSU1 (upper):

status unplugged PSU2 (lower):

status normal nx9500-6C8809#

The following examples show the purging of users from the guest-registration database:

nx7500-112233#service guest-registration delete ?

all Delete all users email Email address group Group mac MAC address mobile Mobile phone number name Full name offline-for Specify minimum amount of time offline otp-incomplete-for Specify minimum amount of time registration with one-time-passcode incomplete social Social site used to log in wlan Wireless LAN nx7500-112233#

Purges users belonging to a specified RADIUS group. Purges users using social-site (Facebook or Google) credentials to login. nx7500-112233#service guest-registration delete group mac_reg_gr1 delete user status: delete users matching a group will take time, please wait nx7500-112233#

nx7500-112233#service guest-registration delete social facebook delete user status: delete users matching a social category will take time, please wait nx7500-112233#

nx7500-112233#service guest-registration delete offline-for days 5 delete user status: Deleting users offline for minimum 5 days. This will take time, please wait nx7500-112233#

Purges users inactive for a specified time period. Purges users who have failed to complete registration using the one-time-passcode (OTP) within a specified time period. nx7500-112233#service guest-registration delete otp-incomplete-for days 5 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 54 COMMON COMMANDS delete user status: Deleting registration with one-time-passcode incomplete for minimum 5 days. This will take time, please wait nx7500-112233#

The following example displays IP ACLs to WLAN mapping summary on the TechPubs RF Domain:

nx9500-6C8809#service show ip-access-list wlan TechPubs status Reporting Device: ap7131-99BB7C - success Reporting Device: ap7532-80C2AC - success Reporting Device: ap7562-84A224 - success Reporting Device: nx9500-6C8809 - success Reporting Device: ap8132-74B45C - success Total reporting devices: 5 nx9500-6C8809#

Consider an RF Domain (name guest-domain) with 3 APs adopted to a controller. The CLI output for the service > show > ip-access-list command in this set up varies for different scenarios, as shown in the following examples:

Scenario 1: Executing the command on a device (access point). AP01#service show ip-access-list wlan status Reporting Device: AP01 - fail WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail Total reporting devices: 1 AP01#

AP01#service show ip-access-list wlan status detail

==============================================================================

==

Reporting Device: AP01

------------------------------------------------------------------------------

--

WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

WLAN: PartnerNet use ip-access-list in default : success use ip-access-list out default : success

------------------------------------------------------------------------------

--

Total reporting devices: 1 AP01#

SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - success Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#

Scenario 2: IP ACL to WLAN mapping is successful for all APs in a specified RF Domain. Scenario 3: IP ACL has failed in dataplane due to unknown reasons. SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - fail WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#service show ip-access-list wlan status detail on guest-domain

==============================================================================

==

Reporting Device: AP01

------------------------------------------------------------------------------

--

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 55 COMMON COMMANDS WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

==============================================================================

==

Reporting Device: AP02

------------------------------------------------------------------------------

--

WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

==============================================================================

==

Reporting Device: AP03

------------------------------------------------------------------------------

--

WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

Total reporting devices: 3 SW01#

Scenario 4: AP in RF Domain is unreachable or does not support this functionality. SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - unreachable Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#

SW01#service show ip-access-list wlan status detail on guest-domain

==============================================================================

==

Reporting Device: AP01 Timed out waiting for remote device: xpath=wing-stats/device/00-23-68-0B-86-38/

firewall/ip_acl_intf_status/wlan[mac='*']

==============================================================================

==

Reporting Device: AP02

------------------------------------------------------------------------------

--

WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

==============================================================================

==

Reporting Device: AP03

------------------------------------------------------------------------------

--

WLAN: PartnerNet Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 56 COMMON COMMANDS use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success

------------------------------------------------------------------------------

--

Total reporting devices: 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 57 COMMON COMMANDS 5.1.8 show Common Commands Displays specified system component settings. There are a number of ways to invoke the show command:

When invoked without any arguments, it displays information about the current context. If the current context contains instances, the show command (usually) displays a list of these instances. When invoked with the display parameter, it displays information about that component. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show <PARAMETERS>

Parameters show <PARAMATERS>

show <PARAMETERS>

The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policys current settings. The example below shows the configuration details that can be viewed in the Priv Executable mode. Example nx9500-6C8809#show ?

adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest Registration EGuest process environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 58 COMMON COMMANDS global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status nx9500-6C8809#

NOTE: For more information on the show command, see Chapter 6, SHOW COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 59 COMMON COMMANDS 5.1.9 write Common Commands Writes the system running configuration to memory or terminal Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax write [memory|terminal]

Parameters write [memory|terminal]

memory terminal Writes to the non-volatile (NV) memory Writes to the terminal Example nx9500-6C8809>write memory

[OK]

nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 60 6 SHOW COMMANDS Show commands display configuration settings or statistical information. Use this command to view the current running configuration as well as the start-up configuration. The show command also displays the current contexts configuration. This chapter describes the show CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. Commands entered in either USER EXEC mode or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode. This chapter also describes the show commands in the GLOBAL CONFIG mode. The commands can be entered in all three modes, except commands like file, IP access list statistics, MAC access list statistics, and upgrade statistics, which cannot be entered in the USER EXEC mode. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1 SHOW COMMANDS 6.1 show commands SHOW COMMANDS The following table summarizes show commands:

Table 6.1 Show Commands Description Reference Command show adoption bluetooth boot bonjour captive-portal captive-portal-

page-upload cdp classify-url Displays settings for the specified system component Displays information related to adoption Displays Bluetooth radio statistics for RF Domain member access points Displays a device boot configuration Displays the configured Bonjour services available on local and remote sites Displays WLAN hotspot functions Displays captive portal page related information Displays a Cisco Discovery Protocol (CDP) neighbor table Queries a specified global data center or a pre-configured classification server for the category of a specified URL. Displays the software system clock Displays cluster commands Displays factory installed CMP certificates clock cluster cmp-factory-

certs commands context critical-resources Displays critical resource information crypto Displays encryption mode information database Displays database-related statistics and status device-upgrade Displays device firmware upgradation information for devices adopted Displays command list Displays information about the current context dot1x dpi eguest environmental-

sensor event-history event-system-

policy ex3500 extdev by a wireless controller or access point Displays dot1x information on interfaces Displays statistics for all configured and canned applications Displays EGuest server status and EGuest registration statistics Displays environmental sensors historical data (applicable only to AP8132) Displays event history Displays event system policy configuration information Displays EX3500-related statistical data Displays external device (T5 or EX3500) configuration error history page 6-5 page 6-10 page 6-14 page 6-16 page 6-17 page 6-18 page 6-20 page 6-22 page 6-24 page 6-25 page 6-26 page 6-28 page 6-29 page 6-30 page 6-31 page 6-32 page 6-35 page 6-37 page 6-39 page 6-41 page 6-44 page 6-45 page 6-48 page 6-49 page 6-50 page 6-53 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 2 SHOW COMMANDS Table 6.1 Show Commands Description Reference page 6-54 page 6-62 page 6-63 page 6-56 page 6-60 Displays file synchronization settings and status on a controller. The file-sync command syncs trustpoint/wireless-bridge certificate between the staging-controller and its adopted access points Displays wireless firewall information Displays global information for network devices based on the parameters passed Displays GRE tunnel related information Displays guest registration statistics based on the option and time entered page 6-71 Displays interface status page 6-75 Displays IP related information page 6-82 Displays IP access list statistics page 6-84 Displays IPv6 related information page 6-88 Displays IPv6 access list statistics page 6-89 Displays Layer 2 Tunnel Protocol Version 3 (L2TPV3) information Displays Link Aggregation Control Protocol (LACP) related information page 6-92 page 6-95 Displays an LDAP agents join status (join status to a LDAP server domain) Displays installed licenses and usage information Displays Link Layer Discovery Protocol (LLDP) information Displays logging information Displays MAC access list statistics Displays MAC address table entries page 6-96 page 6-99 page 6-100 page 6-101 page 6-102 Displays details of wired ports that have MAC address-based authentication enabled mac-auth-clients Displays MAC-authenticated clients based on the parameters passed mint nsight Displays MiNT protocol configuration commands Displays NSight module related statistics and also displays the database server status (reachable or not) Displays Network Time Protocol (NTP) information Displays password encryption status Displays Point to Point Protocol over Ethernet (PPPoE) client information Displays current privilege level information Displays the amount of access time consumed and the access time remaining for all guest users configured on a RADIUS server Displays scheduled reload information page 6-103 page 6-105 page 6-107 page 6-111 page 6-112 page 6-114 page 6-115 page 6-116 page 6-117 page 6-119 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 3 Command file-sync firewall global gre guest-

registration interface ip ip-access-list ipv6 ipv6-access-list l2tpv3 lacp ldap-agent licenses lldp logging mac-access-list mac-address-

table mac-auth ntp password-

encryption pppoe-client privilege radius reload SHOW COMMANDS Command Table 6.1 Show Commands Description Displays RF Domain manager selection details Displays role-based firewall information Display route map statistics Displays Real Time Location Service (RTLS) statistics of access points Displays configuration file contents rf-domain-

manager role route-maps rtls running-config session-changes Displays configuration changes made in this session session-config sessions site-config-diff Displays a list of currently active open sessions on the device Displays CLI sessions Displays the difference between site configuration available on NOC and the actual site configuration Displays Smart RF management commands Displays spanning tree information Displays complete startup configuration script on the console Displays adopted T5 controller details. This command is applicable only on the RFS4000, RFS6000, NX9500, NX9510, and VX9000. Displays terminal configuration parameters Displays timezone information for the system and managed devices Displays traffic-shaping related configuration details and statistics Displays image upgrade status Displays a devices software and hardware version Displays Virtual Router Redundancy Protocol (VRRP) protocol details Displays pre-configured, in-built Web filter options available. These options are: category (URL category), category-types, filter-level, etc. This command also displays Web filter statistics and status. Displays details of a specified search phrase Displays wireless configuration parameters Displays the wireless WAN status what wireless wwan virtual-machine Displays the virtual-machine (VM) configuration, logs, and statistics raid Displays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log. smart-rf spanning-tree startup-config t5 terminal timezone traffic-shape upgrade-status version vrrp web-filter Reference page 6-120 page 6-121 page 6-122 page 6-123 page 6-125 page 6-132 page 6-133 page 6-134 page 6-135 page 6-136 page 6-140 page 6-142 page 6-143 page 6-151 page 6-152 page 6-153 page 6-155 page 6-156 page 6-157 page 6-159 page 6-161 page 6-162 page 6-185 page 6-186 page 6-189 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 4 SHOW COMMANDS 6.1.1 show show commands The show command displays following information:

A devices current configuration A devices start-up configuration A devices current context configuration, such as profiles and policies Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show <PARAMETERS>

Parameters show <PARAMATERS>

show <PARAMETERS>

The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policys current settings. The examples below show the configuration parameters that can be viewed in the User Executable, Priv Executable, and Global Configurable modes. Example The following examples list the show commands in the User Exec, Priv Exec, and Global Config modes:

GLOBAL CONFIG Mode

<DEVICE>(config)#show ?

adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 5 SHOW COMMANDS event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status

<DEVICE>(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 6 SHOW COMMANDS rfs6000-81742D(config)#show clock 2017-04-06 15:49:10 IST rfs6000-81742D(config)#

PRIVILEGE EXEC Mode

<DEVICE>#show ?

adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 7 SHOW COMMANDS role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status

<DEVICE>#

rfs6000-81742D#show terminal Terminal Type: xterm Length: 24 Width: 80 rfs6000-81742D#

USER EXEC Mode

<DEVICE>>show ?

adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 8 SHOW COMMANDS guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) lacp LACP commands licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status

<DEVICE>>

nx9500-6C8809(config)#show wireless ap configured

--------------------------------------------------------------------------------

-------

IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY

--------------------------------------------------------------------------------

-------

1 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs B4-C7-

99-6C-88-09 2 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx TechPubs B4-C7-

99-6D-B5-D4 3 t5-ED7C6C B4-C7-99-ED-7C-6C default-t5 TechPubs B4-C7-

99-6C-88-09 4 rfs4000-880DA7 00-23-68-88-0D-A7 default-rfs4000 TechPubs B4-C7-

99-6C-88-09 5 ap7131-99BB7C 00-23-68-99-BB-7C default-ap71xx TechPubs B4-C7-

99-6C-88-09

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 9 SHOW COMMANDS 6.1.2 adoption show commands Displays adoption related information, and is common to the User Exec, Priv Exec, and Global Config modes. In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers. that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers. Use this command to confirm if a device is an adoptee or an adopter. This command also allows you to determine the devices adopted by an adopter device. NOTE: A NOC controllers capacity is equal to or higher than a site controllers capacity. The following devices can be deployed at NOC and sites:

NOC controller RFS6000, NX65XX, NX9500, NX9510, or NX9600. Site controller RFS6000 or RFS4000. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show adoption [config-errors|controllers|history|info|log|offline|pending|status|

timeline]

show adoption offline show adoption config-errors <DEVICE-NAME>

show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}

show adoption [controllers {include-ipv6}|history|info|pending|status {summary}|

timeline] {on <DEVICE-NAME>}

Parameters show adoption offline adoption offline Displays adoption related information. It also displays configuration errors. Displays non-adopted status of the logged device and its adopted access points show adoption config-errors <DEVICE-NAME>

adoption config-errors

<DEVICE-NAME>

Displays adoption related information. It also displays configuration errors. Displays configuration errors for a specified adopted device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}

adoption Displays adoption related information. It also displays configuration errors. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 10 log [adoptee|

adopter {MAC}]

{on <DEVICE-NAME>}

SHOW COMMANDS Displays adoption logs, for the specified device. If no device name is specified, the system displays logs for the logged device. adoptee Displays adoption logs for adoptee devices (APs, wireless controllers, and service platforms). To view logs for a specified adoptee, specify the devices name. If no device name is specified, the system displays logs for the logged device. If the logged device is not an adoptee, the system states that the device is a controller. For example, 2013-01-19 22:00:13:MLCP_TAG_CLUSTER_MASTER not present and this device is a controller. Ignoring on <DEVICE-NAME> Optional. Displays adoptee status and details for the device identified by the <DEVICE-NAME> keyword

<DEVICE-NAME> Specify the devices name. adopter Displays adoption logs for adopter devices (APs, wireless controllers, and service platforms). To view logs for a specified adopter, specify the devices name. If no device name is specified, the system displays logs for the logged device.

<MAC> Optional. Filters adopters by the adoptee devices MAC address. Specify the adoptee devices MAC address. The system displays logs for the device that has adopted the device identified by the <MAC> keyword. on <DEVICE-NAME> Optional. Displays adopter status and details for the device identified by the <DEVICE-NAME> keyword.

<DEVICE-NAME> Specify the adopter devices name. A wireless controller or service platform cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted wireless controller or service platform cannot be configured to adopt another device and vice versa. show adoption [history|controllers {include-ipv6}|info|pending|status

{summary}|timeline] {on <DEVICE-NAME>}

adoption controllers

{include-ipv6}

history info pending status {summary}

timeline on <DEVICE-NAME>

Displays adoption related information. It also displays configuration errors. Displays information about adopted controllers. This is applicable in a Hierarchically managed network, where site controllers are adopted by the NOC controllers. include-ipv6 Optional. Displays the controllers IPv6 address, if assigned, in the output Displays adoption history of the logged device and its adopted access points Displays adopted device information Displays information for devices pending adoption Displays adoption status for the logged device. When executed without using the on

<DEVICE-NAME> parameter, this command displays detailed information of all devices adopted by the device on which the command is executed. summary Optional. Displays a summary of all devices adopted by the logged device. Displays the logged devices adoption timeline. It also shows the adoption time for logged devices adopted APs. To view the adoption timeline of a specific device, use the on <device-name> option to specify the device. The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays a devices adoption information, based on the parameter passed.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 11 SHOW COMMANDS Usage Guidelines In a devices Global Config mode, use the customize > show-adoption-status command to customize the show > adoption > status command output. The following columns can be added to the output:

nx9500-6C8809(config)#customize show-adoption-status ?

adopted-by Device name to which the AP is adopted ap-name Host-name of the adopted AP cdp-lldp-info Cdp/lldp info of the Adopted AP config-status Configuration status of the adopted AP last-adoption Last known adoption time msgs Messages status uptime Uptime of the adopted AP version Current version of the adopted AP nx9500-6C8809(config)#

For more information on the customise command, see customize. Example The following example displays details of the:

device to which the logged device (rfs6000-81742D) is adopted, and devices adopted (ap7532-A2A4B0, ap7532-80C2AC, ap7562-84A224, etc.) by the logged device. rfs6000-81742D(config)#show adoption status Adopted by:

Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 7 days 01:02:34 ago Adopted Devices:

--------------------------------------------------------------------------------

-------------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-

ADOPTION UPTIME

--------------------------------------------------------------------------------

-------------------------------

ap7532-A2A4B0 5.9.1.0-012D configured No rfs6000-81742D 0 days 23:42:11 0 days 23:46:12 Snap004...ssPoint 5.9.1.0-012D configured No rfs6000-81742D 1 days 00:25:33 1 days 02:30:57 ap7532-80C2AC 5.9.1.0-012D error Yes rfs6000-81742D 1 days 00:10:00 1 days 00:11:40 ap7562-84A224 5.9.1.0-012D configured No rfs6000-81742D 1 days 00:23:12 1 days 02:13:48

-More--

rfs6000-81742D(config)#

nx9500-6C8809#show adoption info

--------------------------------------------------------------------------------

--------------------

HOST-NAME MAC TYPE MODEL SERIAL-NUMBER

--------------------------------------------------------------------------------

--------------------

rfs6000-81742D 00-15-70-81-74-2D rfs6000 RFS-6010-1000-WR 7295520400121 t5-ED7C6C B4-C7-99-ED-7C-6C t5 TS-0524-WR 14213522400004

--------------------------------------------------------------------------------

--------------------

Total number of devices displayed: 2 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 12 SHOW COMMANDS nx9500-6C8809#show adoption status

--------------------------------------------------------------------------------

-------------------------------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-

ADOPTION UPTIME

--------------------------------------------------------------------------------

-------------------------------

rfs6000-81742D 5.9.1.0-012D configured No nx9500-6C8809 7 days 01:06:02 7 days 01:08:45 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 7 days 01:22:09 114 days 04:37:10

--------------------------------------------------------------------------------

--------------------------------

Total number of devices displayed: 2 nx9500-6C8809#

nx9500-6C8809#show adoption offline

-----------------------------------------

MAC HOST-NAME TYPE RF-DOMAIN TIME OFFLINE CONNECTED-TO

--------------------------------------------------------------------------------

-------

00-23-68-11-E6-C4 ap71xx-11E6C4 ap71xx TechPubs unknown None 00-23-68-9C-63-D4 ap7131-9C63D4 ap71xx default unknown None 5C-0E-8B-A6-57-80 ap650-A65780 ap650 default unknown None 5C-0E-8B-A6-ED-14 ap650-A6ED14 ap650 default unknown None 84-24-8D-16-01-C4 ap7532-1601C4 ap7532 default unknown None B4-C7-99-4B-F3-64 ap7131-4BF364 ap71xx default unknown None

--------------------------------------------------------------------------------

-------

Total number of devices displayed: 6 nx9500-6C8809#

rfs6000-81742D#show adoption log adoptee on ap7532-80C2AC 2017-04-05 10:19:56:Received OK from cfgd, adoption complete to 70.81.74.2D 2017-04-05 10:19:56:Waiting for cfgd OK, adopter should be 70.81.74.2D 2017-04-05 10:19:56:Adoption state change: 'Connecting to adopter' to 'Waiting for Adoption OK'

2017-04-05 10:19:56:Adoption state change: 'Adoption failed' to 'Connecting to adopter'

2017-04-05 10:19:56:Try to adopt to 70.81.74.2D (cluster master 70.81.74.2D in adopters) 2017-04-05 10:19:27:Ignoring MLCP Offer, vlan_state MLCP_DONE != MLCP_DISCOVERING

/ MLCP_STP_WAITING

--More--

rfs6000-81742D#

nx9500-6C8809#show adoption controllers include-ipv6

--------------------------------------------------------------------------------

--------------------------------------------------

NAME RF-DOMAIN MAC MINT-ID IP IPV6 ADOPTED-BY

--------------------------------------------------------------------------------

--------------------------------------------------

rfs6000-81742D TechPubs 00-15-70-81-74-2D 70.81.74.2D 192.168.13.24 :: nx9500-6C8809

--------------------------------------------------------------------------------

--------------------------------------------------

Total number of devices displayed: 1 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 13 SHOW COMMANDS 6.1.3 bluetooth show commands Displays Bluetooth radio statistics for RF Domain member access points AP8432 and AP8533 model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP8432 and AP8533 models support both Bluetooth classic and Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. NOTE: AP8132 model access points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for AP8432 and AP8533 model access points described in this section. AP8432 and AP8533 model access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The access points Bluetooth radio sends non-connectable, undirected low-energy

(LE) advertisement packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. Supported in the following platforms:

Access Points AP8432, AP8533 Syntax show bluetooth radio {detail|on}

show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-

RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}

Parameters show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac

<BT-RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}

bluetooth radio detail

<DEVICE-NAME> <1-

1>

Displays Bluetooth radio utilization statistics based on the parameters passed Optional. Displays detailed Bluetooth radio utilization statistics. Optionally, to view detailed information for a specific access points Bluetooth radio, specify the access points and the radios MAC addresses.

<DEVICE-NAME> <1-1> Optional. Specify the access points hostname or MAC address.

<1-1> Specify the bluetooth radio interface index number from 1 - 1. As of now only one Bluetooth radio interface is supported. The Interface index number is appended to the APs hostname or MAC address in the following format: ap8533-06FBE1:B1 OR 74-67-F7-06-FB-E1:B1 The following information is displayed:

access points hostname as its network identifier access points alias. If an alias has been defined for the access point its listed here. The alias value is expressed in the form of

<hostname>:B<Bluetooth_radio_number>. If the access point has a administrator assigned hostname, it is used in place of the access points default hostname. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 14 contd.. access points factory encoded MAC address access point and bluetooth radios administrator assigned area of deployment (the SHOW COMMANDS filter bluetooth-radio-

mac

<BT-RADIO-MAC>

on <DEVICE-OR-

DOMAIN-NAME>

APs geographical location) bluetooth radios state (on/off) bluetooth radios reason for inactivity (in case the radio is off) bluetooth radios factory encoded MAC address serving as this devices hardware identifier on the network bluetooth radios functional mode: bt-sensor or le-beacon bluetooth radios beacon period bluetooth radios beacon type descriptive text on any error thats preventing the Bluetooth radio from operating Optional. Specifies additional filters to get table values. Filters data based on the Bluetooth radios MAC address.

<BT-RADIO-MAC> Specify the Bluetooth radios MAC address. The system only displays statistics related to the specified Bluetooth radio. The following keywords are recursive and common to all of the above. on <DEVICE-OR-DOMAIN-NAME> Optional. Displays Bluetooth radio statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the device or RF Domain. If the device name is explicitly given, the results display data for the specified AP only. If the RF Domain is explicitly given, the results display data for all APs within the spec-

ified RF Domain. If no device/RF Domain is specified, the results include data for all Bluetooth radios within the controllers RF Domain. If the controller is in the on rf-domain all mode, the results include data for all Bluetooth radios for all APs in each domain known to the controller. Example nx9500-6C8809(config)#show bluetooth radio on ap8533-06F808

-----------------------------------------------------------------------------

BLUETOOTH RADIO RADIO MAC MODES STATE

-----------------------------------------------------------------------------

ap8533-06F808:B1 74-67-F7-08-A3-B0 BLE-Beacon On

-----------------------------------------------------------------------------

Total number of Bluetooth radios displayed: 0 nx9500-6C8809(config)#

nx9500-6C8809(config)#show bluetooth radio detail 74-67-F7-06-F8-08 1 Radio: 74-67-F7-06-F8-08:B1, alias ap8533-06F808:B1 STATE : Off [shutdown in cfg]

PHY INFO : MAC: 74-67-F7-08-A3-B0 ACCESS POINT : Name: ap8533-06F808 Location: default Placement: Indoor ENABLED MODES : BLE-Beacon BEACON TYPES : Eddystone-URL BEACON PERIOD : 1000ms Last error :

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 15 SHOW COMMANDS 6.1.4 boot show commands Displays a devices boot configuration. Use this command to view the primary and secondary image details, such as Build Date, Install Date, and Version. This command also displays the current boot and next boot information. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show boot {on <DEVICE-NAME>}

Parameters show boot {on <DEVICE-NAME>}

boot Displays primary and secondary image boot configuration details (build date, install date, version, and the image used to boot the current session) on <DEVICE-NAME> Optional. Displays a specified devices boot configuration

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Note: Use the on <DEVICE-NAME> option to view a remote devices boot configuration. Example nx9500-6C8809#show boot

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 05/31/2017 22:24:22 06/02/2017 14:22:51 5.9.0.0-029R Secondary 05/27/2017 01:00:26 05/30/2017 10:35:55 5.9.0.0-028B

--------------------------------------------------------------------------------

Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#

nx9500-6C8809#show boot on TechPubs/rfs6000-6DB5D4

--------------------------------------------------------------------------------

IMAGE BUILD DATE INSTALL DATE VERSION

--------------------------------------------------------------------------------

Primary 05/31/2017 22:24:22 06/02/2017 14:22:51 5.9.0.0-029R Secondary 05/27/2017 01:00:26 05/30/2017 10:35:55 5.9.0.0-028B

--------------------------------------------------------------------------------

Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 16 SHOW COMMANDS 6.1.5 bonjour show commands Displays the configured Bonjour services available on local and remote sites Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show bonjour services {on <DEVICE-NAME>}

Parameters show bonjour services {on <DEVICE-NAME>}

bonjour services on <DEVICE-NAME> Optional. Displays Bonjour services available on a specified device Displays the configured Bonjour services available on local and remote sites

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show bonjour services on ap7131-11E6C4

--------------------------------------------------------------------------------

----------------------------------------------------------------------

SERVICE_NAME INSTANCE_NAME IP:PORT VLAN-ID VLAN_TYPE EXPIRY

--------------------------------------------------------------------------------

----------------------------------------------------------------------

_pdl-datastream._tcp.local Brother MFC-8510DN._pdl-datastream._tcp.local 172.110.0.146:9100 110 Local Tue Sep 12 02:07:44 2017 _universal._sub._ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local 172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017 _ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local 172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--------------

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 17 SHOW COMMANDS 6.1.6 captive-portal show commands Displays WLAN captive portal information. Use this command to view a configured captive portals client information. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|

statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|

ip [<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not

[pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-

NAME>]])}

Parameters show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|

statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip

[<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not

[pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-

NAME>]])}

captive-portal sessions include-ipv6 statistics on <DEVICE-OR-

DOMAIN-NAME>

filter captive-portal

[<CAPTIVE-PORTAL>|

not <CAPTIVE-

PORTAL>]

Displays active captive portal client session details Optional. Includes IPv6 address (if known) of captive portal clients By default the system only displays IPv4 addresses. The include-ipv6 parameter includes IPv6 address (if known) of each client. Optional. Displays statistical information regarding client sessions Optional. Displays active captive portal session details on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. This parameter is recursive and can be used with any of the above parameters to define additional filters. Optional. Defines additional filters. Use one of the following options: captive-portal, ip, ipv6, state, vlan, or wlan. Optional. Displays captive portal client and client session information, based on the captive portal name passed

<CAPTIVE-PORTAL> Specify the captive portal name. Displays client details for the specified captive portal. not <CAPTIVE-PORTAL> Inverts the match selection. Displays client details for all captive portals other than the specified captive portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 18 SHOW COMMANDS ip [<IPv4>|not

<IPv4>]

Optional. Displays captive portal client/client sessions information, based on the IPv4 address passed

<IPv4> Specify the clients IPv4 address. Displays information of the client identified ipv6 [<IPv6>|not

<IPv6>]

state

[pending|success|

not

[pending|success]]

vlan [<VLAN-ID>|

not <VLAN-ID>]

by the <IPv4> parameter not <IPv4> Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv4> parameter. This filter option is available only for the include-ipv6 keyword. Optional. Displays captive portal client/client sessions information, based on the IPv6 address passed

<IPv6> Specify the clients IPv6 address. Displays information of the client identified by the <IPv6> parameter not <IPv6> Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv6> parameter. Optional. Filters clients/client sessions based on the clients authentication state pending Displays information of clients redirected for authentication success Displays information of successfully authenticated clients not [pending|success] Inverts match selection pending Displays information of successfully authenticated clients (opposite of pending authentication) success Displays information of clients redirected for authentication (opposite of successful authentication) Optional. Displays captive portal client/client sessions information based on the VLAN ID passed

<VLAN-ID> Specify the VLAN ID. Displays client details for the specified VLAN. not <VLAN-ID> Inverts match selection. Displays client details for all VLANs other than the one identified by the <VLAN-ID> parameter. wlan [<WLAN-

NAME>|

not <WLAN-NAME>]

Optional. Displays captive portal client/client sessions information based on the WLAN name passed

<WLAN-NAME> Specify the WLAN name. Displays client details for the specified WLAN. not <WLAN-NAME> Inverts match selection. Displays client details for all WLANs other than the one identified by the <WLAN-NAME> parameter. Example rfs4000-229D58#show captive-portal sessions

================================================================================

=======

CLIENT IPv4 CAPTIVE-PORTAL WLAN/PORT VLAN STATE SESSION TIME

--------------------------------------------------------------------------------

-------

00-26-55-F4-5F-79 192.168.3.99 cappo rfs4000-229D58:ge2 400 Success 23:58:35

================================================================================

=======

Total number of captive portal sessions displayed: 1 rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 19 SHOW COMMANDS 6.1.7 captive-portal-page-upload show commands Displays captive portal page information, such as upload history, upload status, and page file download status Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show captive-portal-page-upload [history|list-files|load-image-status|status]

show captive-portal-page-upload load-image-status show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}

show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-

MANAGER>]}

show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>

Parameters show captive-portal-page-upload load-image-status load-image-status Displays captive portal advanced page file download status on the logged device show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}

history

{on <RF-DOMAIN-

NAME>}

Displays captive portal page upload history on <RF-DOMAIN-NAME> Optional. Displays captive portal page upload history within a specified RF Domain. Specify the RF Domain name. show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-

MANAGER>]}

status

{on <RF-DOMAIN-

NAME>|

on <RF-DOMAIN-

MANAGER>}

Displays captive portal page upload status on <RF-DOMAIN-NAME> Optional. Displays captive portal page upload status within a specified RF Domain. Specify the RF Domain name. on <RF-DOMAIN-MANAGER> Optional. Displays captive portal page upload status for a specified RF Domain Manager. Specify the RF Domain Manager name. show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>

list-files

<CAPTIVE-PORTAL-

NAME>

Displays a list of all captive portal Web page files, of a specified captive portal, uploaded (internal and advanced page files)

<CAPTIVE-PORTAL-NAME> Specify the captive portal name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 20 SHOW COMMANDS Example nx7500-7F2C13#captive-portal-page-upload CP-BW all

--------------------------------------------------------------------------------

CONTROLLER STATUS MESSAGE

--------------------------------------------------------------------------------

84-24-8D-7F-2C-13 Success Added 1 APs to upload queue

--------------------------------------------------------------------------------

nx7500-7F2C13#

nx7500-7F2C13#show captive-portal-page-upload load-file-status Download of CP-BW page file is complete nx7500-7F2C13#

nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW

--------------------------------------------------------------------------------

NAME SIZE LAST MODIFIED

--------------------------------------------------------------------------------

CP-BW-1.tar.gz 6133 2016-05-16 10:38:40 CP-BW.tar.gz 3370 2016-05-16 10:45:44

--------------------------------------------------------------------------------

nx7500-7F2C13#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 21 SHOW COMMANDS 6.1.8 cdp show commands Displays the Cisco Discovery Protocol (CDP) neighbor table Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}

Parameters show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}

cdp [neighbors|report] Displays CDP neighbors table or aggregated CDP neighbors table detail

{on <DEVICE-NAME>}

Optional. Displays detailed CDP neighbors table or aggregated CDP neighbors table on <DEVICE-NAME> Optional. Displays table details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. on <DEVICE-NAME>

Optional. Displays table details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service Example platform. The following example shows detailed CDP neighbors table:

nx9500-6C8809#show cdp neighbors detail

-------------------------

Device ID: ap8132-74B45C Entry address(es):

IP Address: 192.168.13.26 Platform: AP-8132-66040-WR, Capabilities: Router Switch Interface: ge1, Port ID (outgoing port): ge1 Hold Time: 165 sec advertisement version: 2 Native VLAN: 1 Duplex: full Version :

5.8.6.0-008B

-------------------------

Device ID: ap7532-80C2AC Entry address(es):

IP Address: 192.168.13.28 Platform: AP-7532-67040-WR, Capabilities: Router Switch Interface: ge1, Port ID (outgoing port): ge1 Hold Time: 169 sec

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 22 SHOW COMMANDS The following example shows a non-detailed CDP neighbors table:

rfs6000-81742D#show cdp neighbors

--------------------------------------------------------------------------------

Device ID Platform Local Interface Port ID Duplex

--------------------------------------------------------------------------------

nx9500-6C8809 NX-9500-100R0-WR ge2 ge1 full rfs6000-81742D RFS-6010-1000-WR ge2 ge1 full rfs4000-880DA7 RFS-4011-11110-US ge2 ge1 full ap6521-42936C AP-6521E-60020-WR ge2 ge1 full

--------------------------------------------------------------------------------

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 23 SHOW COMMANDS 6.1.9 classify-url show commands Displays a specified URLs category. Use this command to query the category of a specific URL. The query is sent to a configured classification server. This option is available only if a valid URL filter license is available. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]

Parameters show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]

classify-url

<URL-TO-QUERY>

datacenter

<URL-TO-QUERY>

Queries the category of a specified URL Specify the URL to query. The query is sent to the configured classification server. The query is sent to a global classification datacenter

<URL-TO-QUERY> Specify the URL to query. Example nx9500-6C8809#show classify-url www.google.com Categories: search-engines-portals, Custom Categories:

nx9500-6C8809#

nx9500-6C8809#show classify-url www.ndtv.com Categories: news, Custom Categories: list1, nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 24 SHOW COMMANDS 6.1.10 clock show commands Displays a selected systems clock Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show clock {on <DEVICE-NAME>}

Parameters show clock {on <DEVICE-NAME>}

clock on <DEVICE-NAME>

Displays a systems clock Optional. Displays system clock on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs6000-81742D#show clock 2017-04-06 15:50:42 IST rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 25 SHOW COMMANDS 6.1.11 cluster show commands Displays cluster information (cluster configuration parameters, members, status, etc.) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cluster [configuration|history|members|status]

show cluster [configuration|history {on <DEVICE-NAME>}|members {detail}|status]

Parameters show cluster [configuration|members {detail}|status]

cluster configuration history on <DEVICE-

NAME>

Displays cluster information Displays cluster configuration details Displays cluster history status

<DEVICE-NAME> Optional. Specify the controller or access point name. If the device members {detail}

status Example name is not specified, the system displays all cluster history. Displays cluster members configured on the logged device detail Optional. Displays detailed information of known cluster members Displays cluster status rfs6000-380649(config)#show cluster configuration Cluster Configuration Information Name : SiteConRFS6k Configured Mode : Active Master Priority : 128 Force configured state : Disabled Force configured state delay : 5 minutes Handle STP : Disabled Radius Counter DB Sync Time : 5 minutes rfs6000-380649(config)#

rfs6000-380649(config)#show cluster members detail

--------------------------------------------------------------------------------

-------

ID MAC MODE AP COUNT AAP COUNT AP LICENSE AAP LICENSE VERSION

--------------------------------------------------------------------------------

-------

70.38.06.49 00-15-70-38-06-49 Active 0 1 0 0 5.8.6.0-008B 70.81.74.2D 00-15-70-81-74-2D Active 0 0 1 0 5.8.6.0-008B

--------------------------------------------------------------------------------

-------

rfs6000-380649(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 26 SHOW COMMANDS rfs6000-380649(config)#show cluster status Cluster Runtime Information Protocol version : 1 Cluster operational state : active AP license : 1 AAP license : 0 AP count : 0 AAP count : 1 Max AP adoption capacity : 256 Number of connected member(s): 1 rfs6000-380649(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 27 SHOW COMMANDS 6.1.12 cmp-factory-certs show commands Displays factory installed CMP certificates Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cmp-factory-certs {all}

Parameters show cmp-factory-certs {all}

cmp-factory-certs

{all}

Displays factory installed CMP certificates on the logged device. Optionally use the all keyword to view certificate details. Example nx9500-6C8809>show cmp-factory-certs No CMP factory certificate exist nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 28 SHOW COMMANDS 6.1.13 commands show commands Displays commands available for the current mode Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show commands Parameters None Example rfs4000-880DA7(config)#show commands help help search WORD (|detailed|only-show|skip-show|skip-no) show commands show adoption log adoptee(|on DEVICE-NAME) show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME) show adoption info (|on DEVICE-NAME) show adoption status (|on DEVICE-NAME) show adoption status summary (|on DEVICE-NAME) show adoption config-errors DEVICE-NAME show adoption offline show adoption pending (|on DEVICE-NAME) show adoption history (|on DEVICE-NAME) show adoption timeline (|on DEVICE-NAME) show adoption controllers (|on DEVICE-NAME) show adoption controllers include-ipv6(|on DEVICE-NAME) show debugging (|on DEVICE-OR-DOMAIN-NAME) show debugging cfgd(|on DEVICE-NAME) show debugging fib(|on DEVICE-NAME) show debugging adoption (|on DEVICE-OR-DOMAIN-NAME) show debugging wireless (|on DEVICE-OR-DOMAIN-NAME) show debugging snmp (|on DEVICE-NAME) show debugging ssm (|on DEVICE-NAME) show debugging voice (|on DEVICE-OR-DOMAIN-NAME)

--More--

rfs4000-880DA7(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 29 SHOW COMMANDS 6.1.14 context show commands Displays the current context details Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, NX7500, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show context {include-factory|session-config {include-factory}}

Parameters show context {include-factory|session-config {include-factory}}

include-factory session-config

{include-factory}

Optional. Includes factory defaults Optional. Displays running system information in the current context include-factory Optional. Includes factory defaults Example rfs4000-880DA7(config)#show context

!

! Configuration of RFS4000 version 5.9.1.0-015D

!

!

version 2.5

!

!

client-identity-group default load default-fingerprints

!

ip snmp-access-list default permit any

!

firewall-policy default no ip dos tcp-sequence-past-window

!

!

mint-policy global-default

!

radio-qos-policy default

!

auto-provisioning-policy 4K

!

--More--

rfs4000-880DA7(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 30 SHOW COMMANDS 6.1.15 critical-resources show commands Displays critical resource information. Critical resources are resources vital to the network. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show critical-resources {on <DEVICE-NAME>}

Parameters critical-resources on <DEVICE-NAME>

show critical-resources {on <DEVICE-NAME>}

Displays critical resources information Optional. Displays critical resource information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58(config)#show critical-resources

--------------------------------------------------------------------------

CRITICAL RESOURCE IP VLAN PING-MODE STATE

--------------------------------------------------------------------------

172.168.1.103 1 arp-icmp up

--------------------------------------------------------------------------

rfs4000-229D58(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 31 SHOW COMMANDS 6.1.16 crypto show commands Displays encryption mode information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show crypto [cmp|ike|ipsec|key|pki]

show crypto cmp request status show crypto ike sa {detail|on|peer|version}

show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}

show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}

show crypto ipsec sa {detail|on|peer}

show crypto ipsec sa {detail} {on <DEVICE-NAME>}

show crypto ipsec sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}

show crypto key rsa {on|public-key-detail}

show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}

show crypto pki trustpoints {<TRUSTPOINT-NAME>|all|on}

show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}

Parameters show crypto cmp request status crypto cmp request status Displays current status of in-progress certificate management protocol (CMP) requests For more information, see CRYPTO-CMP-POLICY. show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}

crypto ike sa detail peer <IP>

on <DEVICE-NAME>

Displays Internet Key Exchange (IKE) security association (SA) statistics Displays detailed IKE SA statistics Optional. Displays IKE SA statistics for a specified peer

<IP> Specify the peers IP address in the A.B.C.D format Optional. Displays IKE SA statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 32 SHOW COMMANDS show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}

crypto ike sa version [1|2]

peer <IP>

on <DEVICE-NAME>

Displays IKE SA details Optional. Displays IKE SA version statistics 1 Displays IKEv1 statistics 2 Displays IKEv2 statistics Optional. Displays IKE SA version statistics for a specified peer

<IP> Specify the peers IP address in the A.B.C.D format The following keyword is recursive and common to the peer ip parameter:

on <DEVICE-NAME> Optional. Displays IKE SA statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto ipsec sa {detail} {on <DEVICE-NAME>}

crypto ipsec sa detail on <DEVICE-NAME>

Displays Internet Protocol Security (IPSec) SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication session Optional. Displays detailed IPSec SA statistics Optional. Displays IPSec SAs on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}

crypto ipsec sa peer <IP> detail on <DEVICE-NAME>

Displays IPSec SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication session Optional. Displays IPSec SA statistics for a specified peer

<IP> Specify the peers IP address in the A.B.C.D format. detail Displays detailed IPSec SA statistics for the specified peer The following keyword is recursive:

on <DEVICE-NAME> Optional. Displays IPSec SAs on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}

crypto key rsa public-key-detail on <DEVICE-NAME>

Displays RSA public keys Optional. Displays public key in the Privacy-Enhanced Mail (PEM) format The following keyword is recursive:

on <DEVICE-NAME> Optional. Displays public key on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}

crypto pki trustpoints

<TRUSTPOINT-NAME>

Displays PKI related information Displays WLAN trustpoints This command displays all trustpoints including CMP-generated trustpoints. Optional. Displays a specified trustpoint details. Specify the trustpoint name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 33 SHOW COMMANDS all on <DEVICE-NAME>

Optional. Displays details of all trustpoints The following keyword is recursive and common to the trustpoint-name and all parameters:

on <DEVICE-NAME> Optional. Displays trustpoints configured on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809(config)#show crypto key rsa public-key-detail RSA key name: ting Key-length: 2048

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLj11yR38+/mcInGRlrw 3DaasuTJhKsWg7kcSVkM7RLd/Wq/mPZEsqwFLnvFIm4rVIke+mVdWBqV4oGE1TUm Z4YqKtzlANSAG7EZREr3MXEIHd49NHYeK8U+1EAmHN9F21XCxTO+yRMngKDJeHfz Za2/64PdBsnRlV4nqCGMGHbbaaCwGe5X0a RSA key name: default_rsa_key Key-length: 2048

-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hyJDk9aMk97X3PhoyMb 6nufFLFUkpF9YwSqO2fNyp9SutqpoML/VAMHHotmaa6SsxPURF8mC66bT7De32r7 wwPd7pIWwALTscwCzd3CrB1jY8s2OQ7ZHGCH6MLau+LeoNPE0c+uH3tNLloTAvSG xtUAHfwFa4rM6vlzs/ejJ4InnboI8i4uIA nx9500-6C8809(config)#

nx9500-6C8809(config)#show crypto key rsa

--------------------------------------------------------------------------------

# KEY NAME KEY LENGTH

--------------------------------------------------------------------------------

1 ting 2048 2 default_rsa_key 2048

--------------------------------------------------------------------------------

nx9500-6C8809(config)#

nx9500-6C8809(config)#show crypto pki trustpoints all Trustpoint Name: default-trustpoint (self signed)

-------------------------------------------------------------------------------

CRL present: no Server Certificate details:

Key used: default_rsa_key Serial Number: 051d Subject Name:

/CN=NX9500-B4-C7-99-6C-88-09 Issuer Name:

/CN=NX9500-B4-C7-99-6C-88-09 Valid From : Thu Dec 5 04:15:59 2013 UTC Valid Until: Sun Dec 3 04:15:59 2023 UTC nx9500-6C8809(config)#

nx9500-6C8809>show crypto cmp request status CMP Request Status: ir-req-reset nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 34 SHOW COMMANDS 6.1.17 database show commands Displays database-related statistics and status Supported in the following platforms:

Service Platforms NX9500, NX9510, VX9000 Syntax show database [backup-status|keyfile|restore-status|statistics|status|users] {on

<DEVICE-NAME>}

Parameters show database [backup-status|keyfile|restore-status|statistics|status|users]

{on <DEVICE-NAME>}

database backup-status keyfile back-restore statistics status users on <DEVICE-NAME>

Displays all configured database-related statistics and status Displays the last database backup status Displays the keyfiles generated on the database host to enable authenticated database access Displays the last database restore status Displays database-related statistics, such as name of the database (NSight or captive portal), data size, storage size, free disk space available, etc. Displays database status, such as online time. Displays database users created. These are the users that can access the databases. Optional. Displays database-related information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example vx9000-D031F2(config)#show database backup-status detail Last Database Backup Status : Failed(Error in ftp: 1) Last Database Backup Time : 2017-04-11 08:03:10

-----------------------------------------------

Starting backup of mart ... connected to: 127.0.0.1 2015-05-20T14:02:46.340+0530 DATABASE: mart to dump/mart 2015-05-20T14:02:46.341+0530 mart.system.indexes to dump/mart/

system.indexes.bson 2015-05-20T14:02:46.341+0530 61 documents 2015-05-20T14:02:46.341+0530 mart.wlan_info to dump/mart/wlan_info.bson 2015-05-20T14:02:46.341+0530 5 documents 2015-05-20T14:02:46.342+0530 Metadata for mart.wlan_info to dump/mart/

wlan_info.metadata.json 2015-05-20T14:02:46.342+0530 mart.rf_domain_info to dump/mart/

rf_domain_info.bson 2015-05-20T14:02:46.342+0530 21 documents 2015-05-20T14:02:46.342+0530 Metadata for mart.rf_domain_info to dump/mart/

rf_domain_info.metadata.json

--More--

vx9000-D031F2(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 35 SHOW COMMANDS vx9000-D031F2(config)#show database status

--------------------------------------------------------------------------------

MEMBER STATE ONLINE TIME

--------------------------------------------------------------------------------

localhost PRIMARY 2 days 3 hours 45 min 24 sec

--------------------------------------------------------------------------------

Authentication: Disabled Authentication User: None

--------------------------------------------------------------------------------

[*] indicates this device. vx9000-D031F2(config)#

vx9000-D031F2(config)#show database statistics

--------------------------------------------------------------------------------

DATABASE STORAGE SIZE DATA SIZE INDEX SIZE DISK FREE

--------------------------------------------------------------------------------

admin 32k 335 48k 594.5G captive-portal 4k 0 24k 594.5G nsightcache 96k 2.0k 264k 594.5G nsight 26.1M 136.6M 18.9M 594.5G

--------------------------------------------------------------------------------

vx9000-D031F2(config)#

nx9500-6C8809#show database keyfile SLz6lVXyi9vyTCChUKs04THRo3mWOjZheM58Dt6NC0MDkdgV+5+wWN9/IT6zfy1s KPut4BPpUWyM8MEaRmapg4kRrN/SMSMlH6sPITMGTLMu6wRYFEUgKgO01Wn/BohE 5n+uuhY0xiZQsN0LS7IaA8Yb9rX859YRQ7v9By5aEpi1NIDR4KX09Xs3TqIB+5v2 jE3vv7OsKK+LX63bCIoYo35MX251T2pHdL+fMdLfKPMt8ZbzYzx2b22Yvukfg0gm xHsMCB+bLAsfkjeCPgHCAq/WWi3Kxna6ysFjp8J4US2Bm+GL1COvALbCQBwkPPN+

o7M90qT40AubibBkeID2S9rkQkKcXqGESbL5xG6ip+26jIxiLv7GP6/SQZGFOqC/

ZZEkCNhGhkiyktiOIxBfoXwoy66sqQ4KBwLF449eqBe7Svel/dzpFPNfYZpW8SMY LD6iLTPR9BddjsBBej8kGGc5R+M0R6lgQFEew2WX6Rqz45YTGEcfOkl8c9wl3taD xn4imhI/esjMppFDu5muxRHF5RHa5RncTGnsMfc7ndvUl78QaGHLZvDqjNLBUnuP c8QmyohEnKf70TYx/ruG9Vb2AP0Jw5OODTNh2lmaoFjicKYQr+xIHUJpHc0qY43C 5WzlWf84CK67cu7kOPiJoaxvufzSXhJB18BiCXTuv40+ZZ6e3PcisZuIrPXxCZup GJ3KpuHq61IJyVCydFd5zl4Fho+RGaQ9dlDIlaLjbW+YT4CEH1bTiUmreUt+D/X2 zcB9nec77wIIAcdfl2qysgGIqmkI3jRI89d3XM5Y7Kc2TuXBVZOazYldPj+qE/yi EgVWcbtvyS834jit35MGbVXhvQ2d45qgo42WZwdTVLXC9memzoKa3YIZoj32uP3U iOrzD8E1gMte4gDE/KmGkYya+hsWswBmKC1v0gj5NQ6TejYS4z+nefqLHUSVXbQ8 NxRel1huGi8P1ns4dWCwClWp8GpxUTa7GuN1DySA7/l2OJM=

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 36 SHOW COMMANDS 6.1.18 device-upgrade show commands Displays device firmware upgradation information for devices adopted by a wireless controller or access point Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show device-upgrade [history|load-image-status|status|versions]

show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on

<DEVICE-OR-DOMAIN-NAME>}

show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on

<DOMAIN-NAME>}}

Parameters show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on

<DEVICE-OR-DOMAIN-NAME>}]

device-upgrade history

{on <DOMAIN-NAME>}

Displays device upgrade information based on the parameters passed Displays device upgrade history on <DOMAIN-NAME> Optional. Displays upgrade history for all devices within a specified RF Domain. Specify the RF Domain name. load-image-status versions {on <DEVICE-

OR-DOMAIN-NAME>}

Displays firmware image loading status. The output displays the <DEVICE> image loading status in percentage. For example:

#show device-upgrade load-image-status Download of ap81xx firmware file is 47 percent complete Displays firmware image versions on <DEVICE-OR-DOMAIN-NAME> Optional. Displays firmware image versions loaded on specified device or RF Domain. Specify the name of the AP, wireless controller, service platform, or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the AP, wireless controller, service plat-

form, or RF Domain name. show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on

<DOMAIN-NAME>}}]

device-upgrade status on [<DOMAIN-NAME>|

rf-domain-manager]

Displays device upgrade information based on the parameters passed Displays in progress device upgrade status Optional. Displays in progress upgrade status of all devices within a specified RF Domain, or all devices upgraded by the RF Domain manager. Use this option to view upgrade status of multiple devices.

<DOMAIN-NAME> Specify the RF Domain name. rf-domain-manager Select to view devices upgraded by the RF Domain manager. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 37 SHOW COMMANDS summary

{on <DOMAIN-NAME>}

Displays a summary of in-progress upgrade processes on <DOMAIN-NAME> Optional. Displays in-progress upgrade processes within a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. Example nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.16 8.13.10/LatestBuilds/W59/RFS6000-LEAN.img nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is complete nx9500-6C8809#

nx9500-6C8809#show device-upgrade status Number of devices currently being upgraded : 0 Number of devices waiting in queue to be upgraded : 1 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0

--------------------------------------------------------------------------------

-------------------------

DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY

--------------------------------------------------------------------------------

-------------------------

rfs6000-81742D waiting immediate immediate 0 0 -

nx9500-6C8809

--------------------------------------------------------------------------------

-------------------------

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 38 SHOW COMMANDS 6.1.19 dot1x show commands Displays dot1x information on interfaces Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a dot1X-enabled device automatically connects and authenticates without needing to manually login. However, dot1x-enabled devices can be configured either as:

supplicants only Devices seeking network access authenticators only Devices authenticating the supplicants, or supplicants as well authenticators Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: Dot.1x supplicant configuration is supported on the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX5500, NX7500 NOTE: Dot.1x authenticator configuration is supported on the following platforms:

Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500 Syntax show dot1x {all|interface|on}

show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}

show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>} {on <DEVICE-

NAME>}

Parameters show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}

Optional. Displays dot1x information for all interfaces on <DEVICE-NAME> Optional. Displays dot1x information for all interfaces on a dot1x all

{on <DEVICE-NAME>}

specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 39 SHOW COMMANDS dot1x

{on <DEVICE-NAME>}

Optional. Displays dot1x information for interfaces on a specified device

<DEVICE-NAME> Specify the name of AP, wireless controller, or service platform. show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]} {on

<DEVICE-NAME>}

dot1x interface

<INTERFACE-NAME>

ge <1-4>

port-channel <1-2>

on <DEVICE-NAME>

Optional. Displays dot1x information for a specified interface or interface type Displays dot1x information for the layer 2 (Ethernet port) interface specified by the

<INTERFACE-NAME> parameter Displays dot1x for a specified GigabitEthernet interface

<1-4> Select the interface index from 1 - 4. Displays dot1x for a specified port channel interface

<1-2> Select the interface index from 1 - 2. The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays dot1x interface information on a specified device

<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-

form. Example rfs6000-81742D#show dot1x all 802.1X information

------------------------------

SysAuthControl : disabled Guest-Vlan : disabled AAA-Policy : none Holdtime : 60 802.1X information for interface GE1

--------------------------------------

Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED Host Mode : SINGLE Auth Vlan : None Guest Vlan : None 802.1X information for interface GE2

--------------------------------------

Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED

--More--

rfs6000-81742D#

rfs6000-81742D#show dot1x interface ge 1 802.1X information for interface GE1

--------------------------------------

Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED Host Mode : SINGLE Auth Vlan : None Guest Vlan : None rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 40 SHOW COMMANDS 6.1.20 dpi show commands Displays Deep Packet Inspection (DPI) statistics for all configured and canned applications. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and also extracts metadata

(such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. NOTE: The show > dpi command returns results only if executed on a device that supports DPI and has DPI logging enabled. DPI logging can be enabled either on the device or on the profile applied to the device. For more information, see dpi. Supported in the following platforms:

Access Points AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show dpi [app|app-category|application|application-policy|per-category]

show dpi app wireless-clients stats <MAC> {on <DEVICE-OR-DOMAIN-NAME>}

show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all] {on

<DEVICE-OR-DOMAIN-NAME>}

show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-DOMAIN-

NAME>}

show dpi application brief show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes] {on

<DEVICE-OR-DOMAIN-NAME>}

Parameters show dpi app wireless-clients stats <MAC> {<DEVICE-OR-DOMAIN-NAME>}

Displays application-related statistics for all or a specified wireless clients

<MAC> Displays statistics for a specified wireless client. Specify the clients MAC dpi app wireless-clients

<MAC>

address. on <DEVICE-OR-

DOMAIN-NAME>

Optional. Displays statistical data on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 41 SHOW COMMANDS show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all]

{on <DEVICE-OR-DOMAIN-NAME>}

dpi [app|

app-category] stats Displays statistics for a application or application category app Displays statistics for a specified application or all applications app-category Displays statistics for a specified application category or all categories. Note: The applications are the RF Domain member allowed applications whose data

(bytes) are passing through the WiNG managed network. And, the application categories are existing WiNG or user defined application groups (video, streaming, mobile, audio, etc.) that assist administrators to permit or deny forwarding of application data. This parameter is common to the app and app-category keywords.

<APPLICATION/APP-CATEGORY-NAME> Displays statistics for a specified application or application category, depending on the option selected in the previous step. Specify the application name or application category name. all Displays statistics for all applications or application categories, depending on the option selected in the previous step

[<APPLICATION/APP-

CATEGORY-

NAME>|all]

on <DEVICE-OR-

DOMAIN-NAME>

Optional. Displays statistical data on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-

DOMAIN-NAME>}

dpi application-policy stats

<APPLICATION-

POLICY-NAME>

on <DEVICE-OR-

DOMAIN-NAME>

Displays statistics for an existing application policy Displays statistics for a specified application-policy. Specify the application-policy name. Optional. Displays application-policy related statistical data on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. show dpi application brief dpi application brief Displays a brief summary of applications their status and configuration show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes]

{on <DEVICE-OR-DOMAIN-NAME>}

dpi per-category stats

<APP-CATEGORIES> Specify the application category name. The system displays statistics for the top ten Displays statistics for the top ten applications based on the application category and the Sort ID specified. The Sort ID options are: bytes-in, bytes-out or total-bytes. applications in this category. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 42 SHOW COMMANDS

[bytes-in|bytes-out|

total-bytes]

Filters and displays statistical data for the top ten utilized applications in respect to the following:

bytes-in Displays total data bytes uploaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). bytes-out Displays total data bytes downloaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). total-bytes Displays total data bytes (uploaded and downloaded) through the controller managed network. These are only the administrator allowed applications approved for proliferation within the managed network. on <DEVICE-OR-

DOMAIN-NAME>

Optional. Displays statistical data on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. Example nx9500-6C8809>show dpi application brief 1-clickshare-com This application recognizes DirectDownloadLink 1-clickshare traffic Application Category : filetransfer Predefined Application : Yes 1-upload-com This application recognizes DirectDownloadLink 1-upload-com traffic Application Category : filetransfer Predefined Application : Yes 1-upload-to This application recognizes DirectDownloadLink 1-upload-to traffic Application Category : filetransfer Predefined Application : Yes 10upload-com This application recognizes DirectDownloadLink 10upload-com traffic Application Category : filetransfer Predefined Application : Yes 123upload-pl This application recognizes DirectDownloadLink 123upload-pl traffic

--More--

nx9500-6C8809>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 43 SHOW COMMANDS 6.1.21 eguest show commands Displays EGuest server status and EGuest registration statistics Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax eguest [registration statistics|status]

Parameters registration statistics status eguest [registration statistics|status]

Displays the EGuest registration statistics Displays the current status of EGuest servers Example vx-eguest-primary#show eguest status

-----------------------------------

pid process

-----------------------------------

2521 gmd 2529 regserver 2539 acct_server 2569 guest_manager 2636 acct_server 2642 acct_server 2643 acct_server 2649 acct_server 2655 acct_server 2708 acct_server-helper 2770 guest_manager 2776 guest_manager 2777 guest_manager 2783 guest_manager 3628 gmd 3630 gmd 3631 gmd 3632 gmd 3633 gmd 3634 gmd 5729 radiusd

-----------------------------------

Database server is local Database server is reachable vx-eguest-primary#

vx-eguest-primary#show eguest registration statistics msg_received - number of registration messages received user_try_to_add - number of database add attempts user_added - number of messages succesfully added to db user_failed - number of messages failed adding to db

------------------------------------------------------------------------

msg_received user_try_to_add user_added user_failed

------------------------------------------------------------------------

189 11 11 0 vx-eguest-primary#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 44 SHOW COMMANDS 6.1.22 environmental-sensor show commands Displays environmental sensors recorded data. The environmental sensor has to be enabled and configured in order to collect data related to humidity, light, motion, and temperature. NOTE: The environmental senor is supported only on an AP8132. When executed on any controller (other than an AP8132), the show >

environmental-sensor > <parameters> command displays environmental-

sensor details for adopted AP8132s (if any). Supported in the following platforms:

Access Points AP8132 Syntax show environmental-sensor [history|humidity|light|motion|summary|temperature|

version]

show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}

show environmental-sensor [humidity|light|motion|summary|temperature|version]

Parameters show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}

environmental-

sensor history 1-hour 20-minute 24-hour Displays environmental sensor history once in every hour, 20 minutes, or 24 hours History includes the humidity, light, motion, and temperature data recorded by the sensor at specified time interval. Optional. Displays environmental sensor history once in every 1 (one) hour Optional. Displays environmental sensor history once in every 20 minutes Optional. Displays environmental sensor history once in every 24 hours show environmental-sensor [humidity|light|motion|summary|temperature|

version]

environmental-

sensor humidity light motion temperature version summary Displays environmental sensors recorded data, based on the parameters passed. The system displays the specified recorded data. The environmental sensor records data at the following intervals: 20 minutes, 1 hour, and 24 hours. Displays the minimum, average, and maximum humidity recorded Displays the minimum, average, and maximum light recorded Displays the minimum, average, and maximum motion recorded Displays the minimum, average, and maximum temperature recorded Displays the hardware and firmware versions Displays a summary of the data recorded at following intervals:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 45 SHOW COMMANDS Example ap8132-711728#show environmental-sensor summary Maat Device uptime: 0 days 15:25:11 ERROR: Maat device is offline!

threshold polling-interval: 5 historical data polled 0 times per 2-minutes interval since Maat online motion-sensor: Enabled(Demo) current value: 0 detected

-------------------------------

motion detected

-------------------------------

20-minute 0 1-hour 0 6-hour 0 24-hour 0 temperature-sensor: Enabled(Demo) current value: -40.00 deg. C

-------------------------------

min/average/max

-------------------------------

20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 light-sensor: Enabled threshold-high:+400.00 threshold-low:+200.00 holdtime:11 action radio-shutdown: radio-1 and radio-2 light-on:1 light-on/off event sent:0/0 current value: 0.00 lux

-------------------------------

min/average/max

-------------------------------

20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 humidity-sensor: Enabled(Demo) current value: 0.00 %

-------------------------------

min/average/max

-------------------------------

20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 ap8132-711728#

ap8132-711634#show env-sensor history Current Time: 2015-06-20 14:08:01 UTC

-------------------------------------------------------------------------------

Sample-Interval Motion Temperature Light Humidity

(deg. C) (lux) (%)

----------- min/average/max ------------

-------------------------------------------------------------------------------

20-minute 1 64/65/66 77/80 58/60/61 1-hour 24 63/67/70 75/81 57/59/61 6-hour 128 60/62/69 71/79 52/56/71 24-hour 188 54/58/70 15/45 49/57/73 ap8132-711634#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 46 SHOW COMMANDS ap8132-711634#show env-sensor history 20-min

--------------------------------------------------------------------------------

-

timestamp Motion Temperature Light Humidity

--------------------------------------------------------------------------------

-

2015-11-20 13:51:35 UTC 0 66 79 59 2015-11-20 13:53:35 UTC 0 66 79 59 2015-11-20 13:55:35 UTC 0 65 79 58 2015-11-20 13:57:35 UTC 1 66 80 59 2015-11-20 13:59:35 UTC 0 66 79 59 2015-11-20 14:02:35 UTC 0 65 79 60 2015-11-20 14:03:35 UTC 0 64 79 60 2015-11-20 14:05:35 UTC 2 66 80 60 2015-11-20 14:07:35 UTC 0 66 80 61 2015-11-20 14:09:35 UTC 0 66 80 61 ap8132-711634#

ap8132-711634#show env-sensor history 1-hr

--------------------------------------------------------------------------------

--timestamp Motion Temperature Light Humidity

--------------------------------------------------------------------------------

--

2015-11-20 13:51:35 UTC 0 66 79 59 2015-11-20 13:53:35 UTC 0 66 79 59 2015-11-20 13:55:35 UTC 0 65 79 58 2015-11-20 13:57:35 UTC 1 66 80 59 2015-11-20 13:59:35 UTC 0 66 79 59 2015-11-20 14:01:35 UTC 0 65 79 60 2015-11-20 14:03:35 UTC 0 64 79 60 2015-11-20 14:05:35 UTC 2 66 80 60 2015-11-20 14:07:35 UTC 0 66 80 61 2015-11-20 14:09:35 UTC 0 66 80 61 2015-11-20 14:42:35 UTC 0 65 81 60 2015-11-20 14:43:35 UTC 0 64 80 59 2015-11-20 14:45:35 UTC 3 66 80 60 ap8132-711634#

<DEVICE-NAME>#show env-sensor history 24-hr

--------------------------------------------------------------------------------

--

timestamp Motion Temperature Light Humidity

--------------------------------------------------------------------------------

--

2015-11-20 10:10:20 UTC 27 66 80 60 2015-11-20 10:30:20 UTC 17 66 80 60 2015-11-20 10:50:20 UTC 17 66 81 60 2015-11-20 11:10:20 UTC 25 66 81 60 2015-11-20 11:30:20 UTC 24 66 81 60 2015-11-20 11:50:20 UTC 26 66 81 60 2015-11-21 08:10:20 UTC 9 65 80 59 2015-11-21 08:30:20 UTC 7 65 80 59 2015-11-21 08:50:20 UTC 12 65 80 60 2015-11-21 09:10:20 UTC 10 65 80 60 2015-11-21 09:30:20 UTC 15 65 80 60 2015-11-21 09:50:20 UTC 19 66 80 60

<DEVICE-NAME>#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 47 SHOW COMMANDS 6.1.23 event-history show commands Displays event history report Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show event-history {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show event-history {on <DEVICE-OR-DOMAIN-NAME>}

event-history on <DEVICE-OR-

DOMAIN-NAME>

Displays event history report Optional. Displays event history report on a device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show event-history Generated on '2016-09-21 05:19:55 UTC' by 'admin'

2017-06-06 10:40:19 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

2017-06-06 10:38:36 nx9500-6C8809 SYSTEM LOGOUT Logged out user

'admin' with privilege 'superuser' from '192.168.100.214'

2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGOUT Logged out user

'admin' with privilege 'superuser' from '192.168.100.214'

2016-09-20 23:52:49 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

2016-09-20 05:39:01 nx9500-6C8809 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.165'

2016-09-20 05:08:54 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 48 SHOW COMMANDS 6.1.24 event-system-policy show commands Displays detailed event system policy configuration Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>

Parameters show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>

event-system-policy Displays event system policy configuration config Displays configuration for a specified policy Displays detailed configuration for a specified policy detail

<EVENT-SYSTEM-

Specify the event system policy name. POLICY-NAME>

Example rfs6000-81742D(config)#show event-system-policy config testpolicy

--------------------------------------------------------------------------

MODULE EVENT SYSLOG SNMP FORWARD EMAIL

--------------------------------------------------------------------------

aaa radius-discon-msg on on on default

--------------------------------------------------------------------------

rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 49 SHOW COMMANDS 6.1.25 ex3500 show commands Displays EX3500-related statistical data Supported in the following platforms:

Service Platforms NX7500, NX9500 Syntax show ex3500 [dir|interfaces|system|upgrade|version|whichboot]

show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-

NAME>}

show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|ext-if-

table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-NAME>}

show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}

Parameters show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-

NAME>}

ex3500 dir boot-rom config opcode

<FILE-NAME>

on

<EX3500-DEVICE-

NAME>

Displays EX3500 directory information based on the option selected. The options are: boot-rom, config, opcode Note: If none of the specified options is selected, all EX3500 system-related information is displayed. Optional. Displays only the Boot-ROM information Optional. Displays only the configuration file Optional. Displays only the run-time operation code Displays the contents of a specified file identified by the <FILE-NAME> keyword. This is the name of configuration file or code image. Optional. Executes the command on a specified EX3500 device

<DEVICE-NAME> Specify the devices name. show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|

ext-if-table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-

NAME>}

ex3500 interfaces counters ether-like stats ethernet <1-1> <1-52>

ext-if-table stats Displays EX3500 interface counter information based on the option selected. The options are: ether-like, ethernet, ext-if-table, if-table, portUtil, rmon Displays Managed Information Base (MIB) object statistics for Ethernet-like interfaces Displays the Ethernet port statistics based on the unit identifier and port number selected

<1-1> Specify the EX3500 units identifier from 1 - 1.

<1-52> Specify the port number from 1 - 52. This range varies for the EX3524 (1-

28) and EX3548 (1-52) devices. Note: This option displays the following for the selected Ethernet interface: extended interface table stats, interface table stats, port utilization information, and remote monitoring stats. Displays only the extended interface table statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 50 SHOW COMMANDS if-table stats portUtil stats rmon stats on <EX3500-DEVICE-

NAME>

Displays only the interface table statistics Displays only the port utilization information Displays only remote monitoring (RMon) statistics Optional. Executes the command on a specified EX3500 device

<DEVICE-NAME> Specify the devices name. show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}

ex3500 system upgrade version whichboot on <EX3500-DEVICE-

NAME>

Displays the following information for a specified EX3500 device or all EX3500 devices in the managed network Displays EX3500 system information, such as device description, OID string, up time, name, location, contact, MAC address, etc. Some of these information

(example, system name) are configurable items, and if not configured are left blank. Displays the opcode upgrade configuration settings Displays hardware and software version information for a EX3500 system Displays boot information Optional. Executes the command on a specified EX3500 device

<DEVICE-NAME> Specify the devices name. Example nx9500-6C8809#show ex3500 interfaces counters ethernet 1 17 Ethernet 1/ 17

===== IF table Stats =====

2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output

===== Extended Iftable Stats =====

23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output

===== Ether-like Stats =====

0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frames Too Long 0 Carrier Sense Errors 0 Symbol Errors 0 Pause Frames Input 0 Pause Frames Output

===== RMON Stats =====

0 Drop Events 16900558 Octets 40243 Packets Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 51 SHOW COMMANDS 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets

===== Port Utilization (recent 300 seconds) =====

0 Octets Input in kbits per second 0 Packets Input per second 0.00 % Input Utilization 0 Octets Output in kbits per second 0 Packets Output per second 0.00 % Output Utilization nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 52 SHOW COMMANDS 6.1.26 extdev show commands Displays external device (T5 or EX3500) configuration error history Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax show extdev error history {on <T5/EX3500-DEVICE-NAME>}

Parameters show extdev error history {on <T5/EX3500-DEVICE-NAME>}

extdev error history on <T5/EX3500-

DEVICE-NAME>

Displays external device error history. This command is applicable only to the external devices T5, and EX3500 series switches. Use this command to view configuration error history for all or a specified external device adopted and managed by a WiNG NX9500 series service platform. Optional. Displays configuration error history on a specified T5 or EX3500 device

<T5/EX3500-DEVICE-NAME> Specify the name of the device. Example nx9500-6C8809#show extdev error history on t5-ED5EAC

%% No History for this device nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 53 SHOW COMMANDS 6.1.27 file-sync show commands Displays file synchronization settings and status on a controller The file-sync command syncs wireless-bridge certificate and trustpoint between the staging-controller and its adopted access points. The show > file-sync command displays information related to this process. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-

DOMAIN-NAME>}

Parameters show file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-

DOMAIN-NAME>}

file-sync configuration history load-file-status status Displays the following file-synchronization (trustpoint and wireless-bridge certificate) related information: configuration, history, load-file-status, and status Displays the following file-synchronization configuration details:

automatic file-syncing enabled or disabled. The default setting is disabled. The X.509 certificate needs synchronization only if the access points radio2 is configured to use EAP-TLS authentication. In which case PKCS#12 certificate needs to be pushed on AP adoption. To enable automatic file syncing, in the controllers device/profile configuration mode, execute the file-sync > auto command. For more information, see file-sync. Number of access points to which the certificate can be simultaneously uploaded. The default is 10. To modify the number of simultaneous uploads, in the controllers device/profile configuration mode, execute the file-sync > count <1-20> command. For more information, see file-sync. Scheduled certificate upload, if any, details, such time and date of upload. To schedule certificate upload, use the file-sync > wireless-certificate command. For more information, see file-sync. Displays file synchronization history. Use this option to view statistical data relating to wireless-bridge certificate synchronization between staging controller and its access points. When executed, a list of all certificate transfers made to the APs is displayed, with the latest transfer listed at the top. Displays the status of the file upload to the controller. Use this command to view the status of a in-progress certificate upload, For more information on initiating a PKCS#12 certificate upload, see file-sync. Displays status of the file synchronization between the controller and its adopted access point. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 54 SHOW COMMANDS on <DEVICE-OR-

DOMAIN- NAME>

Optional. Displays file synchronization settings and status on a specified device or RF Domain

<DEVICE-OR-DOMAIN- NAME> Specify the name of the controller, service platform, or RF Domain. Example nx9500-6C8809#show file-sync configuration File Sync Configuration Information Auto : Disabled Simultaneous Upload Count : 128 Wireless Bridge Cert Load Time : Thu May 29 23:23:35 2015 nx9500-6C8809#

nx9500-6C8809#show file-sync load-file-status Download of wireless_bridge certificate is complete nx9500-6C8809#

nx9500-6C8809#show file-sync history

-------------------------------------------------------------------------------------

AP RESULT TIME RETRIES SYNCED-BY LAST-SYNC-ERROR

-------------------------------------------------------------------------------------

AP6522-491220 done 2015-05-27 01:37:32 B4-C7-99-6C-88-09 -

ME733ANACBMOT21 done 2015-05-27 02:02:51 0 B4-C7-99-6C-88-09 -

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 55 SHOW COMMANDS 6.1.28 firewall show commands Displays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table entries, denial of service statistics, active session summaries, etc. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show firewall [dhcp|flows|neighbors]

show firewall dhcp snoop-table {on <DEVICE-NAME>}

show firewall flows {filter|management|on|stats|wireless-client}

show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|

icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}

show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|

wireless-client <MAC>|on <DEVICE-NAME>}

show firewall neighbors snoop-table {on <DEVICE-NAME>}

Parameters show firewall dhcp snoop-table {on <DEVICE-NAME>}

firewall dhcp snoop-table on <DEVICE-NAME>

Displays DHCP snoop table entries snoop-table Displays DHCP snoop table entries DHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces. The following keyword is common to the DHCP snoop table and DoS stats parameters:

on <DEVICE-NAME> Optional. Displays snoop table entries, or DoS stats on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|

ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}

firewall flows filter dir [wired-wired|

wired-wireless|

wireless-wired|

wireless-wireless]

Notifies a session has been established Optional. Defines additional firewall flow filter parameters Optional. Matches the packet flow direction wired-wired Wired to wired flows wired-wireless Wired to wireless flows wireless-wired Wireless to wired flows wireless-wireless Wireless to wireless flows Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 56 SHOW COMMANDS dst port

<1-65535>

ether

[dst <MAC>|

host <MAC>|

src <MAC>|

vlan <1-4094>]

flow-type

[bridged|natted|

routed|wired|

wireless]

icmp {code|type}

icmpv6 {code|type}

igmp ip [dst <IP>|

host <IP>|

proto <0-254>|

src <IP>]

ipv6 [dst <IPv6>|

host <IPv6>|

proto <0-254>|

src <IPv6>]

max-idle

<1-4294967295>

min-bytes

<1-4294967295>

min-idle

<1-4294967295>

min-pkts

<1-4294967295>

not Optional. Matches the destination port with the specified port port <1-65535> Specifies the destination port number from 1 - 65535 Optional. Displays Ethernet filter options dst <MAC> Matches only the destination MAC address host <MAC> Matches flows containing the specified MAC address src <MAC> Matches only the source MAC address vlan <1-4094> Matches the VLAN number of the traffic with the specified value. Specify a value from 1- 4094. Optional. Matches the traffic flow type bridged Bridged flows natted Natted flows routed Routed flows wired Flows belonging to wired hosts wireless Flows containing a mobile unit Optional. Matches flows with the specified Internet Control Message Protocol (ICMP) version 4 code and type code Optional. Matches flows with the specified ICMPv4 code type Optional. Matches flows with the specified ICMPv4 type Optional. Matches flows with the specified ICMP version 6 code and type code Optional. Matches flows with the specified ICMPv6 code type Optional. Matches flows with the specified ICMPv6 type Optional.Matches Internet Group Management Protocol (IGMP) flows Optional. Filters firewall flows based on the IPv4 parameters passed dst <IP> Matches destination IP address host <IP> Matches flows containing IPv4 address proto <0-254> Matches the IPv4 protocol number with the specified number src <IPv4> Matches source IP address Optional. Filters firewall flows based on the IPv6 parameters passed dst <IPv6> Matches destination IPv6 address host <IPv6> Matches flows containing IPv6 address proto <0-254> Matches the IPv6 protocol number with the specified number src <IPv6> Matches source IPv6 address Optional. Filters firewall flows idle for at least the specified duration. Specify a max-

idle value from 1 - 4294967295 bytes. Optional. Filters firewall flows with at least the specified number of bytes. Specify a min-bytes value from 1 - 4294967295 bytes. Optional. Filters firewall flows idle for at least the specified duration. Specify a min-

idle value from 1 - 4294967295 bytes. Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 - 4294967295 bytes. Optional. Negates the filter expression selected Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 57 SHOW COMMANDS port <1-65535>

src <1-65535>

tcp udp Optional. Matches either the source or destination port. Specify a port from 1 -

65535. Optional. Matches only the source port with the specified port. Specify a port from 1

- 65535. Optional. Matches TCP flows Optional. Matches UDP flows show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|

wireless-client <MAC>|on <DEVICE-NAME>}

firewall flows management

{on <DEVICE-NAME>}

Notifies a session has been established Optional. Displays management traffic firewall flows on <DEVICE-NAME> Optional. Displays firewall flows on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. stats

{on <DEVICE-NAME>}

Optional. Displays active session summary on <DEVICE-NAME> Optional. Displays active session summary on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. wireless-client <MAC> Optional. Displays wireless clients firewall flows on <DEVICE-NAME>

<MAC> Specify the MAC address of the wireless client. Optional. Displays all firewall flows on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show firewall neighbors snoop-table {on <DEVICE-NAME>}

firewall neighbors snoop-table on <DEVICE-NAME>

Displays IPv6 neighbors snoop table entries Optional. Displays IPv6 neighbors snoop table entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show fi file-sync firewall file rfs6000-81742D(config)#show firewall dhcp snoop-table Snoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>

Type switch-SVI, Touched 427779 seconds ago

-------------------------------------------------------------------------------

rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 58 SHOW COMMANDS rfs6000-81742D(config)#show firewall dos stats

--------------------------------------------------------------------------------

ATTACK TYPE COUNT LAST OCCURENCE

--------------------------------------------------------------------------------

udp-short-hdr 0 Never multicast-icmpv6 0 Never icmp-router-solicit 0 Never tcp-xmas-scan 0 Never ascend 0 Never twinge 0 Never tcp-post-syn 0 Never land 0 Never broadcast-multicast-icmp 0 Never ftp-bounce 0 Never spoof 0 Never source-route 0 Never tcp-null-scan 0 Never tcp-fin-scan 0 Never ipv6-hop-limit-zero 0 Never tcp-bad-sequence 97 0 days 02:24:32 ago fraggle 0 Never router-advt 0 Never snork 0 Never raguard 0 Never

--More--

rfs6000-81742D(config)#

rfs6000-81742D(config)#show firewall flows management

========== Flow# 1 Summary ==========

Forward:

IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22 00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1 Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-

2D) 1170 packets, 99960 bytes, last packet 0 seconds ago Reverse:

IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646 00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-

D1-55) 873 packets, 98797 bytes, last packet 0 seconds ago TCP state: Established Flow times out in 1 hour 30 minutes rfs6000-81742D(config)#

rfs6000-81742D(config)#show firewall flows stats Active Flows 2 TCP/IPv4 flows 2 UDP/IPv4 flows 0 DHCP/IPv4 flows 0 ICMP/IPv4 flows 0 IPsec/IPv4 flows 0 TCP/IPv6 flows 0 UDP/IPv6 flows 0 DHCP/IPv6 flows 0 ICMP/IPv6 flows 0 IPsec/IPv6 flows 0 L3/Unknown flows 0 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 59 SHOW COMMANDS 6.1.29 global show commands Displays global information for network devices based on the parameters passed Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show global [device-list|domain]

show global device-list {filter {offline|online|rf-domain}}

show global device-list {filter {offline|online}}

show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}

show global domain managers Parameters show global device-list {filter {offline|online}}

global device-list Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain. filter {offline|online} Optional. Specifies additional filters offline Optional. Displays global information for offline devices only online Optional. Displays global information for online devices only show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}

Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain. Optional. Specifies additional filters rf-domain Optional. Displays global information for all devices in a specified RF global device-list filter rf-domain

[<DOMAIN-NAME>|

not <DOMAIN-

NAME>]

Domain

<DOMAIN-NAME> Optional. Displays information of all devices within the domain identified by the <DOMAIN-NAME> keyword not <DOMAIN-NAME> Optional. Displays information of all devices in domains not matching the <DOMAIN-NAME> keyword show global domain managers global domain managers Displays global information for all RF Domains and managers in the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 60 SHOW COMMANDS Example rfs6000-81742D(config)#show global device-list filter rf-domain TechPubs

--------------------------------------------------------------------------------

------------------------------

MAC HOST-NAME TYPE CLUSTER RF-DOMAIN ADOPTED-BY ONLINE

--------------------------------------------------------------------------------

------------------------------

00-15-70-81-74-2D rfs6000-81742D rfs6000 SiteConRFS6k TechPubs B4-

C7-99-6C-88-09 online

--------------------------------------------------------------------------------

------------------------------

Total number of clients displayed: 1 rfs6000-81742D(config)#

rfs6000-81742D(config)#show global domain managers

--------------------------------------------------------------------------------

---------------------

RF-DOMAIN MANAGER HOST-

NAME APS CLIENTS

--------------------------------------------------------------------------------

---------------------

default ? rf-domain manager 00-15-70-38-03-E7 not in configuration TechPubs 00-15-70-81-74-2D rfs6000-

81742D 0 0

--------------------------------------------------------------------------------

---------------------

Total number of RF-domain displayed: 2 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 61 SHOW COMMANDS 6.1.30 gre show commands Displays layer 2 Generic Routing Encapsulation (GRE) tunnel traffic flow information GRE is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show gre info {detail} {(on <DEVICE-NAME>)}

Parameters show gre info {detail} {(on <DEVICE-NAME>)}

gre info detail on <DEVICE-NAME>

Displays GRE tunnel information Optional. Displays GRE tunnel information in detail, such as tunnel state, tunnels remote-end peer devices IP address, session ID of an operational tunnel, total number of packets received and transmitted through the tunnel, and the number of dropped packets during tunneled exchanges between access point and a peer at the remote end of the tunnel. Optional. Executes the command on a specified device

<DEVICE-NAME> Specify the name of the access point, controller, or service platform. Example rfs6000-81742D#show gre info Gre Tunnel info:

Tunnel info not found rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 62 SHOW COMMANDS 6.1.31 guest-registration show commands Displays information on the performance of clients using guest access permissions to obtain network resources within the WiNG network. The reporting timeline can be adjusted as needed, as can the RF Domain(s) and WLAN(s) used to filter and report guest client statistics. Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show guest-registration [age-range|backup-snapshots|browsers|client|devices|

gender|loyalty-app-status|notification-status|os|social|user-trends|visitors]

{on <DEVICE-NAME>}

show guest-registration backup-snapshots show guest-registration [age-range|browsers|devices|gender|os|user-trends|

visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(rfdomain

<DOMAIN-NAME>|wlan <WLAN-NAME>)}

show guest-registration client [email|mac|member|mobile|name|time]

show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-

ID>|mobile <MOBILE-NUMBER>|name <NAME>]

show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|

30-Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}

show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|

30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}

show guest-registration notification-status show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|

5-Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}

Parameters show guest-registration backup-snapshots guest-registration backup-snapshots Displays guest registration statistics based on the parameters passed Displays a list of periodically backed up snapshots of the database. By default, the system maintains a snapshot of the database on a daily basis. Note: Use the service > guest-registration > backup [delete|restore] command to delete these snapshots and to restore deleted snapshots. For more information, see service. show guest-registration [age-range|browsers|devices|gender|os|user-

trends|visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]

{(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}

guest-registration age-range browsers devices Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays the age ranges of logged guest users for a selected time period Displays the browsers used by guest users logged in within a selected time period Displays the device types used by guest users logged in within a selected time period Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 63 SHOW COMMANDS gender os user-trends visitors time [1-Day|1-Month|

1-Week|2-Hours|

30-Mins|5-Hours|all]

[rfdomain

<DOMAIN-NAME|

wlan <WLAN-NAME>]

Displays the gender of guest users logged in within a selected time period Displays the operating system (OS) of devices logged in within a selected time period Displays guest user login trends for a selected time period. It displays statistical data, such as number of new users, number of return users, and total of number users. Displays type of visitors logged in within a selected time period Displays guest registration statistics, for a specified time period. The stats displayed depends on the option selected in the previous step. Specify the time period using one of the following options:

1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays statistics from the day the database was created Use the following options as additional filters:

rfdomain <DOMAIN-NAME> Optional. Displays guest registration statistics for a specified RF Domain.

<DOMAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Optional. Displays guest registration statistics for a specified WLAN.

<WLAN-NAME> Specify the WLAN name. show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-

ID>|mobile <MOBILE-NUMBER>|name <NAME>]

guest-registration client email

<EMAIL-ADDRESS>

mac <MAC>

member

<MEMBER-ID>

Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays statistical data for a specific client. Use the e-mail, mac, member, mobile, name to provide a match criteria. Displays statistical data for the client with e-mail address matching the

<EMAIL-ADDRESS> parameter

<EMAIL-ADDRESS> Specify the clients e-mail address. Displays statistical data for the client with MAC address matching the <MAC>

parameter

<MAC> Specify the clients MAC address Displays statistical data for the client with member ID matching the <MEMBER-ID>

parameter

<MEMBER-ID> Specify the clients member ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 64 SHOW COMMANDS mobile

<MOBILE-NUMBER>

name <NAME>

Displays statistical data for the client with mobile number matching the

<MOBILE-NUMBER> parameter

<MOBILE-NUMBER> Specify the clients mobile number. Displays statistical data for the client with name matching the <NAME> parameter

<MOBILE-NUMBER> Specify the clients name. show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|30-

Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}

guest-registration client time [1-Day|1-Month|

1-Week|2-Hours|

30-Mins|5-Hours|all]

[rfdomain

<DOMAIN-NAME|

wlan <WLAN-NAME>]

Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays statistical data for all clients logged in within a specified time period Use one of the following options to specify the time period:

1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays entire statistics, from the day the database was created Use the following options as additional filters:

rfdomain <DOMAIN-NAME> Optional. Displays guest registration statistics for a specified RF Domain.

<DOMIAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Optional. Displays guest registration statistics for a specified WLAN.

<WLAN-NAME> Specify the WLAN name. show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-

Hours|30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}

guest-registration loyalty-app-status time [1-Day|1-Month|

1-Week|2-Hours|

30-Mins|5-Hours|all]

Displays guest registration statistics based on the parameters and time entered Displays captive portal clients Loyalty Application analytics, such as the number of guest clients with loyalty application detection enabled, associating with the captive portals access point during a specified time period Loyalty application detection occurs on the access point to which the guest client is associated, allowing a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. For more information on enabling loyalty application detection on a captive portal, see report-loyalty-application. Specifies the time period, using one of the following options:

1-Day Displays previous days captive portal clients Loyalty Application analytics 1-Month Displays previous months captive portal clients Loyalty Application analytics Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 65 SHOW COMMANDS 1-Week Displays previous weeks captive portal clients Loyalty Application analytics 2-Hours Displays last 2 hours captive portal clients Loyalty Application analytics 30-Mins Displays last 30 minutes captive portal clients Loyalty Application analytics 5-Hours Displays last 5 hours captive portal clients Loyalty Application analytics all Displays the entire Loyalty Application analytics, from the day the database was created

{rfdomain

<RF-DOMAIN-NAME>|

wlan <WLAN-NAME>}

Optional. Specifies the rfdomain and/or wlan to view guest registration statistics for a specified RF Domain and/or WLAN rfdomain <RF-DOMAIN-NAME> Displays Loyalty App analytics for a specified RF Domain

<RF-DOMAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Displays Loyalty App analytics for a specified WLAN

<WLAN-NAME> Specify the WLAN name. show guest-registration notification-status guest-registration notification-status Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays guest registration notification status show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-

Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}

guest-registration social Displays the social sites used by guests to register. Optionally, use the rfdomain time [1-Day|1-Month|

1-Week|2-Hours|

30-Mins|5-Hours|all]

facebook rfdomain

<DOMAIN-NAME>

wlan <WLAN-NAME>

google and/or wlan keywords to view social site used by guests of a specified RF Domain and/or WLAN. Displays social site statistics for a specified time period. Use one of the following time options:

1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays the entire database Displays guest users using Facebook to log in Displays guest users for a specific RF Domain

<DOMAIN-NAME> Specify the RF Domain name. Displays guest users for a specific WLAN

<WLAN-NAME> Specify the WLAN name. Displays guest users using Google to log in Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 66 Example SHOW COMMANDS nx9500-6C8809#show guest-registration age-range time all Timeline: all

---------------------------------

AGE RANGE COUNT

---------------------------------

less_than_18 0 ( 0%) 18_to_24 1 ( 20%) 25_to_34 0 ( 0%) 35_to_44 1 ( 20%) 45_to_54 1 ( 20%) 55_to_64 2 ( 40%) greater_than_64 0 ( 0%)

---------------------------------

nx9500-6C8809#

nx9500-6C8809#show guest-registration browsers time 1-Day rfdomain Test-rfdomain-

10RF Domain: Test-rfdomain-10 Timeline: 1-Day

-----------------------------------

BROWSER COUNT

-----------------------------------

Safari 1 ( 50%) Chrome 1 ( 50%) nx9500-6C8809#

nx9500-6C8809#show guest-registration devices time 30-Mins wlan Test-ssid-9 WLAN: Test-ssid-9 Timeline: 30-Mins

-------------------------------

DEVICE COUNT

-------------------------------

Windows PC 1 (100%) nx9500-6C8809#

nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-10 RF Domain: Test-rfdomain-10 WLAN: Test-ssid-10 Timeline: all

---------------------------------------------

GENDER COUNT

---------------------------------------------

Male 1 ( 50%) Female 1 ( 50%) Other 0 ( 0%) nx9500-6C8809#

nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-9

%% No guests registered for specified inputs. nx9500-6C8809#

nx9500-6C8809#show guest-registration os time 1-Day Timeline: 1-Day

-------------------------------

OS COUNT

-------------------------------

Windows 7 3 ( 30%) Apple iOS 3 ( 30%) Macintosh 3 ( 30%) Windows 8 1 ( 10%) nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 67 SHOW COMMANDS nx9500-6C8809#show guest-registration social time 30-Mins Timeline: 30-Mins

---------------------------------------------

SOCIAL ONLINE TOTAL

---------------------------------------------

google 1 (100%) 1 ( 10%) Local 0 ( 0%) 9 ( 90%) nx9500-6C8809#

nx9500-6C8809#show guest-registration user-trends time all Timeline: all

----------------------------------------------------------------------------

SAMPLE RANGE NEW USERS RETURN USERS TOTAL

----------------------------------------------------------------------------

2014-2-16 - 2014-4-17 0 ( 0%) 0 ( 0%) 0 2014-4-17 - 2014-6-16 0 ( 0%) 0 ( 0%) 0 2014-6-16 - 2014-8-15 0 ( 0%) 0 ( 0%) 0 2014-8-15 - 2014-10-14 0 ( 0%) 0 ( 0%) 0 2014-10-14 - 2014-12-13 0 ( 0%) 0 ( 0%) 0 2014-12-13 - 2015-2-11 10 (100%) 0 ( 0%) 10

----------------------------------------------------------------------------

nx9500-6C8809#

nx9500-6C8809#show guest-registration user-trends time 1-Day Timeline: 1-Day

----------------------------------------------------------------------------

SAMPLE RANGE NEW USERS RETURN USERS TOTAL

----------------------------------------------------------------------------

23:16 - 3:16 0 ( 0%) 0 ( 0%) 0 3:16 - 7:16 0 ( 0%) 0 ( 0%) 0 7:16 - 11:16 0 ( 0%) 0 ( 0%) 0 11:16 - 15:16 0 ( 0%) 0 ( 0%) 0 15:16 - 19:16 0 ( 0%) 0 ( 0%) 0 19:16 - 23:16 0 ( 0%) 0 ( 0%) 0

----------------------------------------------------------------------------

nx9500-6C8809#

nx9500-6C8809#show guest-registration visitors time 30-Mins Timeline: 30-Mins

-----------------------------------

VISITORS COUNT

-----------------------------------

New Users 7 ( 70%) Return Users 3 ( 30%) nx9500-6C8809#

nx9500-6C8809#show guest-registration client time 30-Mins email Guest_9@abc.com

-----------------------------------

ATTRIBUTE VALUE

-----------------------------------

city Brooklyn wlan Test-ssid-10 name Guest_9 zip 11204 mobile 9131373709 gender female llogintime 2015-01-20 19:11:14.001000 mobileok on devtype Windows PC createtime 2015-01-20 18:27:14.001000 email Guest_9@abc.com mac 10-00-00-10-00-09 reg_type otp rfd Test-rfdomain-10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 68 SHOW COMMANDS agerange <18 group mac_reg_gr1 mid 1234100009 os Windows 7 exptime 2015-11-16 19:21:14.001000 browser Safari

-----------------------------------

nx9500-6C8809#

nx9500-6C8809#show guest-registration client time 30-Mins rfdomain Test-rfdomain-8

-----------------------------------

ATTRIBUTE VALUE

-----------------------------------

loggedin yes wlan Test-ssid-8 name Guest_1 locale en_US llogintime 2015-01-20 19:15:14 devtype Macintosh exptime 2015-11-16 19:21:14 lname Guest_100000 source google mac 10-00-00-10-00-01 email Guest_1@abc.com id 657669862939196 reg_type device fname Test-Guest_1 rfd Test-rfdomain-8 agerange 35-44 timezone 7 profilePic https://www.google.com/user_id/657669862939196/

os Macintosh createtime 2015-01-20 18:45:14 group mac_reg_gr1 browser Chrome

-----------------------------------

city Santa Cruz group mac_reg_gr1 name Guest_2 zip 95062 mobile 3700870747 mid 1234100001 llogintime 2015-01-20 19:18:14 mobileok on devtype Apple iPad exptime 2015-11-16 19:21:14 createtime 2015-01-20 19:11:14 mac 10-00-00-10-00-02 reg_type otp rfd Test-rfdomain-8 agerange 55-64 wlan Test-ssid-8 os Apple iOS email Guest_2@abc.com browser Chrome

-----------------------------------

city Los Angeles group mac_reg_gr1 name Guest_5 zip 90001 mobile 9129618672 mid 1234100005 llogintime 2015-01-20 19:20:14 devtype Macintosh exptime 2015-11-16 19:21:14 createtime 2015-01-20 19:05:14 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 69 SHOW COMMANDS mac 10-00-00-10-00-05 reg_type device rfd Test-rfdomain-8 agerange 18-24 wlan Test-ssid-8 os Macintosh email Guest_5@abc.com browser Chrome

-----------------------------------

nx9500-6C8809#

nx7500-112233#show guest-registration loyalty-app-status time all Timeline: all

---------------------------------------------

LOYALTY APP STATUS COUNT

---------------------------------------------

Loyalty App Users 491 ( 49%) Others 510 ( 51%) nx7500-112233#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 70 SHOW COMMANDS 6.1.32 interface show commands Displays configured system interfaces and their status Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show interface {<INTERFACE-NAME>|brief|counters|ge|me1|port-channel|pppoe1|

switchport|vlan|wwan1}

show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|

pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}

Parameters show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-

2>|pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}

interface

<INTERFACE-NAME> Optional. Displays status of the interface specified by the <INTERFACE-NAME>

Optional. Displays system interface status based on the parameters passed brief counters ge <1-4>

me1 port-channel <1-2>

pppoe1 switchport vlan <1-4094>

wwan1 on <DEVICE-NAME>

parameter. Specify the interface name. Optional. Displays a brief summary of the interface status and configuration Optional. Displays interface Tx or Rx counters Optional. Displays Gigabit Ethernet interface status and configuration

<1-4> Select the Gigabit Ethernet interface index from 1 - 4. Optional. Displays Fast Ethernet interface status and configuration Optional. Displays port channel interface status and configuration

<1-2> Specify the port channel index from 1 - 2. Optional. Displays PPP over Ethernet interface status and configuration Optional. Displays layer 2 interface status Optional. Displays VLAN interface status and configuration

<1-4094> Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094. Optional. Displays Wireless WAN interface status, configuration, and counters The following keywords are common to all of the above interfaces:

on <DEVICE-NAME> Optional. Displays interface related information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 71 SHOW COMMANDS Example Following interfaces are available on a RFS6000 controller:

rfs6000-81742D(config)#show interface ?

WORD Interface name brief Brief summary of interface status and configuration counters Interface tx/rx counters ge GigabitEthernet interface me1 FastEthernet interface on On AP/Controller port-channel Port-Channel interface pppoe1 PPP Over Ethernet interface switchport Status of Layer2 interfaces up1 WAN Ethernet interface vlan Switch VLAN interface wwan1 Wireless WAN interface

| Output modifiers

> Output redirection

>> Output redirection appending

<cr>

rfs6000-81742D(config)#

rfs6000-81742D(config)#show interface switchport

--------------------------------------------------------------------------------

-------

INTERFACE STATUS MODE VLAN(S)

--------------------------------------------------------------------------------

-------

ge1 DOWN access 1 ge2 DOWN access 1 ge3 DOWN access 1 ge4 DOWN access 1 ge5 DOWN access 1 ge6 DOWN access 1 ge7 DOWN access 1 ge8 DOWN access 1 up1 UP access 1

--More--

rfs6000-81742D(config)#

rfs6000-81742D(config)#show interface ge 1 Interface ge1 is DOWN Hardware-type: ethernet, Mode: Layer 2, Address: 00-15-70-81-74-2E Index: 2001, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational n/a, Maximum 1G Duplex: Admin Auto, Operational n/a Active-medium: n/a Switchport settings: access, access-vlan: 1 Input packets 0, bytes 0, dropped 0 Received 0 unicasts, 0 broadcasts, 0 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 0, bytes 0, dropped 0 Sent 0 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 72 SHOW COMMANDS rfs6000-81742D(config)#show interface counters

--------------------------------------------------------------------------------

------------------------------

INTF MAC RX-PKTS RX-BYTES RX-DROP TX-PKTS TX-BYTES TX-DROP

--------------------------------------------------------------------------------

------------------------------

me1 00-15-70-81-74-36 0 0 0 0 0 0 vlan1 00-15-70-81-74-2D 1578154 279596323 0 82096 14710688 0 ge1 00-15-70-81-74-2E 0 0 0 0 0 0 ge2 00-15-70-81-74-2F 0 0 0 0 0 0 ge3 00-15-70-81-74-30 0 0 0 0 0 0 ge4 00-15-70-81-74-31 0 0 0 0 0 0 ge5 00-15-70-81-74-32 0 0 0 0 0 0 ge6 00-15-70-81-74-33 0 0 0 0 0 0

--More--

rfs6000-81742D(config)#

rfs6000-81742D(config)#show interface vlan 1 Interface vlan1 is UP Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D Index: 5, Metric: 1, MTU: 1500 IP-Address: 192.168.13.24/24 input packets 1578392, bytes 279625825, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 82159, bytes 14717966, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled rfs6000-81742D(config)#

nx9500-6C8809(config)#show interface switchport

--------------------------------------------------------------------------------

-------

INTERFACE STATUS MODE VLAN(S)

--------------------------------------------------------------------------------

-------

ge1 UP access 1 ge2 DOWN access 1

--------------------------------------------------------------------------------

-------

A '*' next to the VLAN ID indicates the native vlan for that trunk port nx9500-6C8809(config)#

nx9500-6C8809(config)#show interface vlan 1 Interface vlan1 is UP Hardware-type: vlan, Mode: Layer 3, Address: B4-C7-99-6C-88-09 Index: 5, Metric: 1, MTU: 1500 IP-Address: 192.168.13.13/24 input packets 4623946, bytes 568905032, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 458235, bytes 90317187, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 73 SHOW COMMANDS nx9500-6C8809(config)#show interface ge 1 Interface ge1 is UP Hardware-type: ethernet, Mode: Layer 2, Address: 00-1E-67-4B-BF-BC Index: 2001, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 1G, Maximum 1G Duplex: Admin Auto, Operational Full Active-medium: n/a Input packets 2326745, bytes 348775278, dropped 0 Received 2326745 unicasts, 4367 broadcasts, 1219173 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 1080901, bytes 244595966, dropped 0 Sent 1080901 unicasts, 392 broadcasts, 132573 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 nx9500-6C8809(config)#

nx9500-6C8809(config)#show interface counters

--------------------------------------------------------------------------------

------------------------------

INTF MAC RX-PKTS RX-BYTES RX-DROP TX-PKTS TX-BYTES TX-DROP

--------------------------------------------------------------------------------

------------------------------

vlan1 B4-C7-99-6C-88-09 2571193 341672167 0 625888 90924957 0 ge1 00-1E-67-4B-BF-BC 2326629 348759017 0 1080855 244588229 0 ge2 00-1E-67-4B-BF-BD 0 0 0 0 0 0 port..nel1 00-1E-67-4B-BF-BC 2326631 348759243 0 1080857 244588673 0

--------------------------------------------------------------------------------

------------------------------

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 74 SHOW COMMANDS 6.1.33 ip show commands Displays IP related information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ip [arp|bgp|ddns|default-gateways|dhcp|dhcp-vendor-options|domain-name|

extcommunity-list|igmp|interface|name-server|nat|ospf|route|routing]

show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}

show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|paths|

prefix-list|regexp|route-map|state|summary}

show ip ddns bindings {on <DEVICE-NAME>}

show ip dhcp [binding|networks|status]

show ip dhcp binding {manual} {(on <DEVICE-NAME>)}

show ip dhcp [networks|status] {on <DEVICE-NAME>}

show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing]

{on <DEVICE-NAME>}

show ip extcommunity-list [<1-500>|<NAME>]

show ip igmp snooping [mrouter|querier|vlan]

show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}

show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}

show ip interface {<INTERFACE-NAME>|brief|on}

show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}

show ip nat translations verbose {on <DEVICE-NAME>}

show ip route {<INTERFACE-NAME>|ge|me1|on|port-channel|pppoe1|vlan|wwan1}

show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|

pppoe1|wwan1} {(on <DEVICE-NAME>)}

show ip ospf {border-router|interface|neighbor|on|route|state}

show ip ospf {border-router|neighbor|route|on|state} {on <DEVICE-NAME>}

show ip ospf {interface} {vlan|on}

show ip ospf {interface} {vlan <1-4094>} {(on <DEVICE-NAME>)}

NOTE: The show ip ospf command is also available under the profile and device modes. Parameters show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}

ip arp

<VLAN-NAME>

Displays Address Resolution Protocol (ARP) mappings Optional. Displays ARP mapping on a specified VLAN. Specify the VLAN name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 75 SHOW COMMANDS on

<DEVICE-NAME>

The following keyword is recursive and common to the vlan-name parameter:

on <DEVICE-NAME> Optional. Displays ARP configuration details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|

paths|prefix-list|regexp|route-map|state|summary}

ip bgp

<IP>

<IP/M>

community community-list filter-list neighbors Displays BGP routing table statistics based on the match criteria specified here. Routes matching the specified criteria are filtered. Use available options to filter the information displayed. This command is applicable to the RFS4000, RFS6000, NX9XXX model devices. Optional. Filters routes matching the specified IP address Optional. Filters routes matching the specified network Optional. Filters routes based on the community attribute specified. The options are:

AA:NN Filters routes based on the community number (AA: is the autonomous system number (ASN), NN: is the community number within the specified ASN) local-as Filters routes carrying the local-as attribute (these routes are not sent outside the local AS) no-advertise Filters routes carrying the no-advertise attribute (these routes are not advertised to any peers) no-export Filters routes carrying no-export attribute (these routes are not exported to next AS) Optional. Displays routes that are members of communities included in the specified BGP community-list

<1-500> Specify the community-list number.

<WORD> Specify the community-list name. Optional. Filters routes having AS-path matching the specified AS-path access list. Specify the AS-path ACL name. Optional. Displays BGP neighbor details. Specify the IP address, to view a specific neighbor details. Use one of the following options to filter information:

advertised-routes Displays route information for routes advertised to the selected neighbor device received-routes Displays route information for routes received from the selected neighbor device routes Displays the route information for routes learned from the selected neighbor device If no neighbor IP address is specified, the system displays all neighbor-related routes on the logged device. on <DEVICE-NAME> Optional. Displays BGP routing table statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. paths prefix-list

<PREFIX-LIST-NAME>

Optional. Displays BGP path details Optional. Displays routes confirming to the specified prefix-list

<PREFIX-LIST-NAME> Specify the prefix list name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 76 SHOW COMMANDS regexp <LINE>

route-map

<ROUTE-MAP-

NAME>

Optional. Displays routes matching the specified AS path regular expression

<LINE> Specify the regular expression. Optional. Displays routes matching the specified route map

<ROUTE-MAP-NAME> Specify the route map name. show ip ddns bindings {on <DEVICE-NAME>}

ip ddns bindings

{on <DEVICE-NAME>}

Displays Dynamic Domain Name Server (DDNS) configuration details Displays DDNS address bindings on <DEVICE-NAME> Optional. Displays address bindings on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip dhcp [networks|status] {on <DEVICE-NAME>}

ip dhcp networks status on <DEVICE-NAME>

Displays DHCP server related details, such as network and status Displays DHCP server network details Displays DHCP server status The following keyword is common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays server status and network details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip dhcp binding {manual} {(on <DEVICE-NAME>)}

ip dhcp bindings manual on <DEVICE-NAME>

Displays the DHCP server configuration details Displays DHCP address bindings Optional. Displays static DHCP address bindings The following keyword is recursive and common to the manual parameter:

on <DEVICE-NAME> Optional. Displays DHCP address bindings on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip extcommunity-list [<1-500>|<NAME>]

ip extcommunity-list

[<1-500>|<NAME>]

Displays the specified extended community list details

<1-500> Specify the extended community number from 1 - 500.

<NAME> Specify the extended community name. This command is applicable to the RFS4000, RFS6000, NX95XX model devices. show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|

routing] {on <DEVICE-NAME>}

ip default-gateways ip dhcp-vendor-

options ip domain-name Displays all learnt default gateways Displays DHCP 43 parameters received from the DHCP server. This output includes the interface from which the option was learned. Displays the DNS default domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 77 SHOW COMMANDS ip name-server ip routing on <DEVICE-NAME>

Displays the DNS name server details Displays routing status The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays IP related information, based on the parameters passed, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}

ip igmp snooping mrouter querier vlan <1-4095>

{on <DEVICE-NAME>}

Displays the IGMP snooping configuration Displays the IGMP snooping multicast router (mrouter) configuration Displays the IGMP snooping multicast querier configuration Displays the IGMP snooping multicast router configuration for a VLAN

<1-4095> Specify the VLAN ID from 1 - 4095. on <DEVICE-NAME> Optional. Displays the IGMP snooping mrouter configuration on a specified device

<DEVICE-NAME> Specify the name of the AP or wireless controller. show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}

ip igmp snooping vlan <1-4095>

<IP>

on <DEVICE-NAME>

Displays the IGMP snooping configuration Displays the VLAN IGMP snooping configuration

<1-4095> Specify the VLAN ID from 1 - 4095. Optional. Specifies the multicast group IP address The following keyword is recursive and common to the ip parameter:

on <DEVICE-NAME> Optional. Displays configuration details on a specified device

<DEVICE-NAME> Specify the name of the AP or wireless controller. show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}

ip interface Displays an administrative and operational status of all layer 3 interfaces or a specified layer 3 interface

<INTERFACE-NAME> Optional. Displays a specified interface status. Specify the interface name. Optional. Displays a brief summary of all interface status and configuration brief The following keyword is recursive and common to the interface-name and brief on <DEVICE-NAME>

parameters:

on <DEVICE-NAME> Optional. Displays interface status and summary, based on the parameters passed, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip nat translations verbose {on <DEVICE-NAME>}

ip nat translations verbose Displays Network Address Translation (NAT) translations Displays detailed NAT translations on <DEVICE-NAME> Optional.Displays NAT translations on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 78 SHOW COMMANDS show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|

pppoe1|wwan1} {(on <DEVICE-NAME>)}

ip route Displays route table details. The route tables use flags to distinguish between routes. The different flags are:

C Connected G Gateway O OSPF route S Static route Note: Flags S and O identify static learned routes and dynamic learned routes respectively.

<INTERFACE-NAME> Optional. Displays route table details for a specified interface. Specify the interface ge <1-4>

me1 port-channel <1-2>

vlan <1-4094>

pppoe1 wwan1 on <DEVICE-NAME>

name Optional. Displays GigabitEthernet interface route table details

<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Displays FastEthernet interface route table details Optional. Displays port channel interface route table details. Specify the port channel index from 1 - 2. Optional. Displays VLAN interface route table details. Select the VLAN interface ID from 1 - 4094. Optional. Displays Point-to-point Protocol over Ethernet (PPPoE) interface route table details Optional. Displays Wireless WAN route table details The following keywords are recursive and common to all of the above parameters:

on <DEVICE-NAME> Displays route table details, based on the parameters passed, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show ip ospf {border-router|interface|neighbor|route|on|state} {on <DEVICE-

NAME>}

ip ospf border-router interface

{on| vlan <1-4094>}

{on <DEVICE-NAME>}

Displays overall OSPF information Optional. Displays details of all the border routers connected Optional. Displays details of all the interfaces with OSPF enabled on <DEVICE-NAME> Optional. Displays specified device details vlan <1-4094> Displays VLAN interface details neighbor route on <DEVICE-NAME>

<DEVICE-NAME> Specify the name of the AP or wireless controller. Optional. Displays an OSPF neighbors list Optional. Displays OFPS routes information Optional. Displays overall OSPF information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. state Optional. Displays an OSPF process state Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 79 SHOW COMMANDS on <DEVICE-NAME>

The following keywords are recursive and common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays overall OSPF information, based on the parameters passed, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example rfs6000-81742D(config)#show ip arp

--------------------------------------------------------------------------------

IP MAC INTERFACE TYPE

--------------------------------------------------------------------------------

192.168.13.10 00-02-B3-28-D1-55 vlan1 dynamic 192.168.13.13 B4-C7-99-6C-88-09 vlan1 dynamic 192.168.13.2 00-0F-8F-19-BA-4C vlan1 dynamic

--------------------------------------------------------------------------------

rfs6000-81742D(config)#

rfs6000-81742D(config)#show ip interface brief

-------------------------------------------------------------------------------

INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL

-------------------------------------------------------------------------------

me1 unassigned n/a UP down vlan1 192.168.13.24/24 primary UP up

-------------------------------------------------------------------------------

rfs6000-81742D(config)#

rfs6000-81742D(config)#show ip route

--------------------------------------------------------------------------------

DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE

--------------------------------------------------------------------------------

default 192.168.13.2 S vlan1 0 1 192.168.13.0/24 0.0.0.0 C vlan1 0 0

--------------------------------------------------------------------------------

Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81742D(config)#

rfs6000-81701D(config)#show ip route port-channel 1

--------------------------------------------------------------------------------

DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE

--------------------------------------------------------------------------------

192.168.0.0/24 direct C me1 0 0 172.18.0.0/24 direct C vlan1 0 0 10.2.0.0/24 172.18.0.1 S vlan1 0 1 default 192.168.13.2 S vlan192 0 1 192.168.13.0/24 direct C vlan192 0 0

--------------------------------------------------------------------------------

Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81701D(config)#

nx9500-6C8809(config)#show ip routing on rfs6000-81742D IP routing is enabled. nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 80 SHOW COMMANDS nx9500-6C8809(config)#show ip dhcp status State of DHCP server: not-running nx9500-6C8809(config)#

rfs6000-81701D(config)#show ip ospf state Maximum number of OSPF routes allowed: 9216 Number of OSPF routes received: 0 Ignore-count allowed: 5, current ingore-count: 0 Ignore-time 60 seconds, reset-time 360 seconds Current OSPF process state: Running rfs6000-81701D(config)#

rfs6000-81742D(config)#show ip route on ap7532-A2A56C

--------------------------------------------------------------------------------

DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE

--------------------------------------------------------------------------------

169.254.0.0/16 0.0.0.0 C vlan1 0 0 default 192.168.9.2 CG vlan1 0 1 192.168.9.0/24 0.0.0.0 C vlan1 0 0

--------------------------------------------------------------------------------

Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81742D(config)#

rfs6000-81742D(config)#show ip dhcp-vendor-options

--------------------------------------------------------------------------------

ITEM VALUE INTERFACE

--------------------------------------------------------------------------------

Server Info n/a vlan1 Firmware Image File n/a vlan1 Config File n/a vlan1 Legacy Adoption Info n/a n/a AP Adoption Info n/a n/a Controller Adoption Info n/a n/a

--------------------------------------------------------------------------------

rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 81 SHOW COMMANDS 6.1.34 ip-access-list show commands Displays IP access list statistics NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail|on}

show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}

{(on <DEVICE-NAME>)}

Parameters show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}

{(on <DEVICE-NAME>)}

ip-access-list stats

<IP-ACCESS-LIST-

NAME>

detail

<IP-ACCESS-LIST-

NAME>

on <DEVICE-NAME>

Displays IP access list statistics Optional. Displays statistics for a specified IP access list. Specify the IP access list name. Optional. Displays detailed statistics for a specified IP access list. Specify the IP access list name. The following keyword is recursive and common to the IP-ACCESS-LIST-NAME and detail parameters:

on <DEVICE-NAME> Optional. Displays all or a specified IP access list statistics on a specified device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example rfs6000-81742D(config)#show ip-access-list stats IP Access-list: # Restrict Management ACL #

permit tcp any any eq ftp rule-precedence 1 Hitcount: 0 permit tcp any any eq www rule-precedence 2 Hitcount: 4 permit tcp any any eq ssh rule-precedence 3 Hitcount: 448 permit tcp any any eq https rule-precedence 4 Hitcount: 0 permit udp any any eq snmp rule-precedence 5 Hitcount: 0 permit tcp any any eq telnet rule-precedence 6 Hitcount: 4 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 82 SHOW COMMANDS The following example displays the auto-tunnel-acl IP ACL configuration:

rfs4000-229D58(config)#ip access-list auto-tunnel-acl rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3 rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#

The following example displays the statistics for the auto-tunnel-acl ACL:

rfs4000-229D58#show ip-access-list stats IP Access-list: auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 Hitcount: 0 permit ip host 200.200.200.99 any rule-precedence 3 Hitcount: 0 rfs4000-229D58#

nx9500-6C8809#show ip-access-list stats scaleacl | i 125 permit ip host 125.1.1.1 any rule-precedence 125 Hitcount: 893 Hardware Hitcount: 3120 permit ip host 125.2.1.1 any rule-precedence 346 Hitcount: 0 Hardware Hitcount: 0 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 83 SHOW COMMANDS 6.1.35 ipv6 show commands Displays IPv6 related information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ipv6 [default-gateways|delegated-prefix|dhcp|hop-limit|interface|mld|name-

server|neighbors|route]

show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on <DEVICE-

NAME>}

show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}

show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}

show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>]

{on <DEVICE-NAME>}

show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}

show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|

t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}

Parameters show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on

<DEVICE-NAME>}

ipv6 default-gateways delegated-prefix hop-limit name-server on <DEVICE-NAME>

Displays IPv6 related information Displays all learnt default gateways Displays prefix delegation information Displays the configured IPv6 hop count value Displays DNS name servers This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device

(access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}

Displays IPv6 related information Displays DHCPv6 related information ipv6 dhcp client received-options Displays DHCP options received from clients relay status status Displays the DHCPv6 relay agents running status Displays the DHCPv6 stateless server daemons status. In case the DHCPv6 server is up and running, it also displays interface names. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 84 SHOW COMMANDS on <DEVICE-NAME>

This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device

(access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}

ipv6 interface

{<IF-NAME>|brief}

Displays IPv6 related information Displays IPv6 status and configuration on a specified interface related information

<IF-NAME> Optional. Specify the interface name. brief Optional. Displays a brief summary of IPv6 status and configuration on the on <DEVICE-NAME>

specified interface This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device

(access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-

4095>] {on <DEVICE-NAME>}

ipv6 mld snooping mrouter vlan

<1-4095>

querier vlan

<1-4095>

vlan <1-4095>

on <DEVICE-NAME>

Displays IPv6 related information Displays Multicast Listener Discovery Protocol (MLD) snooping related information Displays IPv6 multicast router information on the specified VLAN Displays IPv6 multicast querier information on the specified VLAN Displays MLD snooping related information on the specified VLAN This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device

(access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}

ipv6 neighbors

<VLAN-NAME>

on <DEVICE-NAME>

Displays IPv6 related information Displays IPv6 neighbors on the specified VLAN Optional. Displays IPv6 neighbors on a specified device (access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|

t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}

ipv6 Displays IPv6 related information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 85 SHOW COMMANDS route

<IF-NAME>

ge <1-X>

me1 port-channel <1-2>

pppoe1 vlan <1-4095>

up wwan1 xge <1-4>

on <DEVICE-NAME>

Displays IPv6 route table Optional. Displays IPv6 route table for the interface identified by the <IF-NAME>

keyword Optional. Displays IPv6 route table for the selected GigabitEthernet interface Optional. Displays IPv6 route table for the FastEthernet interface Optional. Displays IPv6 route table for the selected port-channel interface Optional. Displays IPv6 route table for the PPP over Ethernet interface Optional. Displays IPv6 route table for the selected VLAN interface Optional. Displays IPv6 route table for the WAN Ethernet interface Optional. Displays IPv6 route table for the wireless WAN interface Optional. Displays IPv6 route table for the selected TenGigabitEthernet interface Applicable only for the NX9500 and NX9510 service platforms. This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device

(access point, wireless controller, or service platform)

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show ipv6 dhcp client received-options DHCPv6 Client received options:

Interface:

None Server Identifier:

None Client Identifier:

None DNS Servers:

None Domain Name:

None Sip Servers:

None Sip Domain Name:

None Refresh Time:

None Server Preference:

None Vendor Options:

None rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 86 SHOW COMMANDS rfs4000-229D58(config)#show ipv6 route

--------------------------------------------------------------------------------

DESTINATION GATEWAY FLAGS INTERFACE

--------------------------------------------------------------------------------

2000:abcd::/64 fe80::300:1 S vlan300 default fe80::11:1 R vlan11 4444:1111::/64 direct C vlan1

--------------------------------------------------------------------------------

Flags: C - Connected G - Gateway S - Static R - IPv6-RA rfs4000-229D58(config)#

rfs4000-229D58#show ipv6 default-gateways

--------------------------------------------------------------------------------

Source: IPv6-RA Gateway-address : fe80::100:1 Preference: medium Status : not-monitored Insatlled : NO Interface : vlan100 Remaining Lifetime: 1471 sec

--------------------------------------------------------------------------------

Source: IPv6-RA Gateway-address : fe80::1:2 Preference: low Status : not-monitored Insatlled : NO Interface : vlan1 Remaining Lifetime: 1488 sec

--------------------------------------------------------------------------------

Source: Static-Route Gateway-address : fe80::2000:1 Preference: NA Status : unreachable Insatlled : NO Interface : vlan2000 Remaining Lifetime: forever

--------------------------------------------------------------------------------

Source: IPv6-RA Gateway-address : fe80::11:1 Preference: high Status : reachable Insatlled : YES Interface : vlan11 Remaining Lifetime: 1471 sec

--------------------------------------------------------------------------------

rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 87 SHOW COMMANDS 6.1.36 ipv6-access-list show commands Displays IPv6 access list statistics NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}

Parameters show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}

ipv6-access-list stats Displays IPv6 access list statistics

<IPv6-ACCESS-LIST-

NAME>

Optional. Displays statistics for a specified IPv6 access list. Specify the IPv6 access list name. If IPv6 ACL name is not provided, the system displays statistics for all ACLs configured and applied. on <DEVICE-NAME> Optional. Displays all or a specified IPv6 access list statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show ipv6-access-list stats IPV6 Access-list: test deny ipv6 any any rule-precedence 20 Hitcount: 4 rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 88 SHOW COMMANDS 6.1.37 l2tpv3 show commands Displays a Layer 2 Tunnel Protocol Version 3 (L2TPV3) session information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: This command is not available in the USER EXEC mode. Syntax l2tpv3 {on|tunnel|tunnel-summary}

l2tpv3 {on <DEVICE-NAME>}

l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on <DEVICE-

NAME>)}

l2tpv3 {tunnel-summary} {down|on|up}

l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}

l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}

Parameters l2tpv3 {on <DEVICE-NAME>}

l2tpv3

{on <DEVICE-NAME>}

Displays a L2TPv3 tunnel and session details or summary on <DEVICE-NAME> Optional. Displays L2TPv3 information on a specified access point or wireless controller

<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-

form. l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on

<DEVICE-NAME>)}

l2tpv3 tunnel

<L2TPV3-TUNNEL-

NAME>

session

<L2TPV3-SESSION-

NAME>

on <DEVICE-NAME>

Displays a L2TPv3 tunnel and session details or summary Optional. Displays a specified L2TPv3 tunnel information

<L2TPV3-TUNNEL-NAME> Specify the L2TPv3 tunnel name. Optional. Displays a specified L2TPv3 tunnel session information

<L2TPV3-SESSION-NAME> Specify the session name. The following keyword is recursive and common to the session <L2TPV3-SESSION-

NAME> parameter. on <DEVICE-NAME> Optional. Displays a L2TPv3 tunnel and session details, based on the parameters passed, on a specified device.

<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 89 SHOW COMMANDS l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}

l2tpv3 tunnel-summary

{on <DEVICE-NAME>}

Displays L2TPv3 tunnel and session details or summary For an L2TPv3 tunnel over Auto IPSec, the tunnel status is displayed as: Established

(secured by ipsec) Optional. Displays L2TPv3 tunnel summary on <DEVICE-NAME> Optional. Displays a L2TPv3 tunnel summary on a specified device

<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-

form. l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}

l2tpv3 tunnel-summary down up on <DEVICE-NAME>

Displays a L2TPv3 tunnel and session details or summary Optional. Displays a L2TPv3 tunnel summary, based on the parameters passed Optional. Displays un-established tunnels summary Optional. Displays established tunnels summary The following keyword is common to the down and up parameters:

on <DEVICE-NAME> Optional. Displays summary, for un-established or established tunnels, on a specified device

<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-

form. Example ap7131-11E6C4#show l2tpv3 tunnel-summary

--------------------------------------------------------------------------------

-------

Sl No Tunnel Name Tunnel State Estd/Total Sessions Encapsulation Protocol

--------------------------------------------------------------------------------

-------

1 testTunnel Established (secured by ipsec) 1/1 IP Total Number of Tunnels 1 ap7131-11E6C4#

ap7131-11E6C4#show l2tpv3

-------------------------------------------------------------------------------

Tunnel Name : testTunnel Control connection id : 2238970979 Peer Address : 30.1.1.1 Local Address : 30.1.1.30 Encapsulation Protocol : IP MTU : 1460 Peer Host Name : rfss Peer Vendor Name : Example Company Peer Control Connection ID : 322606389 Tunnel State : Established (secured by ipsec) Establishment Criteria : always Sequence number of the next msg to the peer : 29 Expected sequence number of the next msg from the peer :42 Sequence number of the next msg expected by the peer : 29 Retransmission count : 0 Reconnection count : 0 Uptime : 0 days 1 hours 2 minutes 47 seconds

-------------------------------------------------------------------------------

Session Name : session1 VLANs : 30 Pseudo Wire Type : Ethernet_VLAN Serial number for the session : 6 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 90 SHOW COMMANDS Local Session ID : 129538998 Remote Session ID : 8151374 Size of local cookie (0, 4 or 8 bytes) : 0 First word of local cookie : 0 Second word of local cookie : 0 Size of remote cookie (0, 4 or 8 bytes) : 0 First word of remote cookie : 0 Second word of remote cookie : 0 Session state : Established Remote End ID : 444 Trunk Session : 1 Native VLAN tagged : Enabled Native VLAN ID : 0 Number of packets received : 0 Number of bytes received : 0 Number of packets sent : 0 Number of bytes sent : 0 Number of packets dropped : 0 ap7131-11E6C4#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 91 SHOW COMMANDS 6.1.38 lacp show commands Displays Link Aggregation Control Protocol (LACP) related information NOTE: For more information on enabling dynamic LACP, see lacp, lacp-channel-group, and lacp. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show lacp [<1-4>|counters|details|sys-id]

show lacp <1-4> ([counters|details]) show lacp sys-id Parameters show lacp <1-4> ([counters|details]) show lacp <1-4>

counters details Shows the LACP related information for a specified port-channel or all port-channels using LACP

<1-4> Select the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels. Where as the other model service platforms support four (4) port-channels. If the port-channel index number is not specified, the system displays LACP counters and details for all port-channels configured on the device. Shows LACP counters for LACP-enabled port-channels. When passed without the

<1-4> keyword, the system displays LACP counters for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP counters only for the specified port-channel. Shows details for LACP-enabled port-channels. When passed without the <1-4>

keyword, the system displays LACP details for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP details only for the specified port-channel. show lacp sys-id show lacp sys-id Shows the LACP related information for all LACP-enabled port-channels sys-id Shows the LACP system identifier and priority. This is the identifier assigned to the LACP peers (devices). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 92 Example SHOW COMMANDS NOC-controller#show interface port-channel 1 Interface port-channel1 is UP Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C8 Index: 2018, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 20G, Maximum 20G Duplex: Admin Auto, Operational Full Active-medium: n/a Channel-members: xge1 xge2 Switchport settings: trunk, access-vlan: n/a Input packets 5121052, bytes 807510883, dropped 0 Received 5121052 unicasts, 0 broadcasts, 516544 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 4804420, bytes 1053174746, dropped 0 Sent 4804420 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 NOC-controller#

NOC-controller#show interface port-channel 4 Interface port-channel4 is UP Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C4 Index: 2016, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 4G, Maximum 4G Duplex: Admin Auto, Operational Full Active-medium: n/a Channel-members: ge2 ge3 ge4 ge5 Switchport settings: trunk, access-vlan: n/a Input packets 5848499493, bytes 8772550780653, dropped 0 Received 5848499493 unicasts, 0 broadcasts, 120167 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 362245, bytes 33129264, dropped 0 Sent 362245 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 NOC-controller#

NOC-controller#show lacp counters Port-Channel Interface LACPDU Marker Packet error Sent Recv Sent Recv Sent Recv pc1 xge1 11548 12479 0 0 0 0 pc1 xge2 11550 12469 0 0 0 0 pc4 ge2 14081 14041 0 0 0 0 pc4 ge3 15877 15874 0 0 0 0 pc4 ge4 15875 15874 0 0 0 0 pc4 ge5 14064 14052 0 0 0 0 NOC-controller#

NOC-controller#show lacp details Port-Channel pc1 Interface xge1:

Actor admin port key : 1 Actor oper port key : 1 Actor port priority : 32768 Actor port number : 2011 Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted Actor oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing Partner admin system ID : 32768, 00-00-00-00-00-00 Partner oper system ID : 32768, 44-03-A7-BF-00-00 Partner admin key : 0 Partner oper key : 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 93 SHOW COMMANDS Partner admin port priority : 0 Partner oper port priority : 32768 Partner admin port number : 0 Partner oper port number : 286 Partner admin port state : PassiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted Partner oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing Receive machine state : Current Periodic transmission machine state : Slow periodic Mux machine state : Collecting/Distributing Port-Channel pc1 Interface xge2:

Actor admin port key : 1 Actor oper port key : 1 Actor port priority : 32768 Actor port number : 2012 Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted

--More--

NOC-controller#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 94 SHOW COMMANDS 6.1.39 ldap-agent show commands Displays an LDAP agents join status (join status to a LDAP server domain) Use this command When LDAP is specified the external resource (as opposed to local RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials, and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents

(primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ldap-agent join-status {on <DEVICE-NAME>}

Parameters ldap-agent join-status on <DEVICE-NAME>

show ldap-agent join-status {on <DEVICE-NAME>}

Displays LDAP agent related configuration Displays if the LDAP agent has successfully joined a LDAP servers domain Optional. Displays if the LDAP agent has successfully joined a specified LDAP servers domain.

<DEVICE-NAME> Specify the name of the device running the LDAP server (access point, wireless controller, or service platform). Example rfs6000-81701D#show ldap-agent join-status Primary LDAP Server's agent join-status : Joined domain TEST. Secondary LDAP Server's agent join-status : Not Configured rfs6000-81701D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 95 SHOW COMMANDS 6.1.40 licenses show commands Displays installed licenses and usage information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show licenses {borrowed|lent}

Parameters show licenses {borrowed|lent}

licenses

{borrowed|lent}

Usage Guidelines Displays installed licenses and usage information borrowed Optional. Displays information on licenses borrowed lent Optional. Displays information on licenses lent The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC and the site controllers constitute the first and second tiers of the hierarchy respectively. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. The site controllers may or may not be grouped to form clusters. At the time of adoption, access points and adaptive access points are provided license by the adopting controller. These license packs can be installed on both the NOC and site controllers. When a AP/AAP is adopted by a controller, the controller pushes a license on to the device. At this point the various possible scenarios are:

AP/AAP license packs installed on the NOC controller only. The NOC controller provides the site controllers with the AP licenses, ensuring that per platform limits are not exceeded. AP/AAP license packs installed on the NOC and site controllers. The site controller uses its installed licenses and, in case of a shortage, the site controller borrows additional licenses from the NOC. If the NOC controller is unable to allocate sufficient licenses, the site controller unadopts some of the AP/AAPs. AP/AAP license packs installed on one controller within a cluster. The site controller shares its installed and borrowed licenses with other cluster controllers. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 96 SHOW COMMANDS Example rfs4000-229D58#show licenses Serial Number : 9184521800027 Device Licenses:

AP-LICENSE String : DEFAULT-6AP-LICENSE Value : 6 Borrowed : 0 Total : 6 Used : 0 AAP-LICENSE String :

Value : 0 Borrowed : 0 Total : 0 Used : 0 ADVANCED-SECURITY String : DEFAULT-ADV-SEC-LICENSE rfs4000-229D58#

The following example shows the show > licenses command output on a NOC controller:

nx9500-6C8809#show licenses Serial Number : B4C7996C8809 Device Licenses:

AP-LICENSE String :

Value : 0 Lent : 0 Total : 0 Used : 0 AAP-LICENSE String :

66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 Value : 10250 Lent : 0 Total : 10250 Used : 7 HOTSPOT-ANALYTICS String :

66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 Total Licenses Including Licenses in Adopted Controllers:

AP-LICENSE Value : 14 Used : 1 AAP-LICENSE Value : 10250 Used : 7 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 97 SHOW COMMANDS In the following example, the VALIDITY(HRS) column specifies the validity period, in days and hours, of a lent license. On a NOC controller, a VALIDITY(HRS) value of current implies that the site controller is currently adopted. Whereas, a numerical VALIDITY(HRS) value indicates the days and hours the lent license is valid for a site controller that is not reachable. nx9500-6C8809#show licenses lent

--------------------------------------------------------------------------------

----------------------------

MAC HOST-NAME TYPE LENT BORROWER-MAC BORROWER-

HOST-NAME VALIDITY

--------------------------------------------------------------------------------

----------------------------

B4-C7-99-6C-88-09 nx9500-6C8809 AAP 5 00-15-70-81-74-2D rfs6000-

81742D current B4-C7-99-6C-88-09 nx9500-6C8809 AAP 9 B4-C7-99-6D-CD-4B rfs7000-

6DCD4B 97 days, 21 hours

--------------------------------------------------------------------------------

----------------------------

nx9500-6C8809#

rfs4000-881E4B#show licenses borrowed

-----------------------------------------------------------------------------

MAC HOST-NAME TYPE BORROWED VALIDITY

-----------------------------------------------------------------------------

00-15-70-37-FD-89 rfs7000-37FD89 AAP 2 99 days, 23 hours 00-15-70-81-70-1D rfs6000-81701D AP 1 99 days, 23 hours

-----------------------------------------------------------------------------

rfs4000-881E4B#

The following examples show the show > licenses output on the devices participating in the process:

nx9500-6C8809>show licenses lent

--------------------------------------------------------------------------------

----------------------------

MAC HOST-NAME TYPE LENT BORROWER-MAC BORROWER-

HOST-NAME VALIDITY

--------------------------------------------------------------------------------

----------------------------

B4-C7-99-6C-88-09 nx9500-6C8809 AAP 1 00-15-70-81-74-2D rfs6000-

81742D current B4-C7-99-6C-88-09 nx9500-6C8809 AAP 9 B4-C7-99-6D-CD-4B rfs7000-

6DCD4B 99 days, 23 hours

--------------------------------------------------------------------------------

----------------------------

nx9500-6C8809>

rfs6000-81742D(config)#show licenses borrowed

-----------------------------------------------------------------------------

MAC HOST-NAME TYPE BORROWED VALIDITY

-----------------------------------------------------------------------------

B4-C7-99-6C-88-09 nx9500-6C8809 AAP 1 current

-----------------------------------------------------------------------------

rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 98 SHOW COMMANDS 6.1.41 lldp show commands Displays Link Layer Discovery Protocol (LLDP) information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show lldp [neighbors|report]

show lldp neighbors {on <DEVICE-NAME>}

show lldp report {detail|on}

show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

Parameters show lldp neighbors {on <DEVICE-NAME>}

lldp neighbors on <DEVICE-NAME>

Displays an LLDP neighbors table or aggregated LLDP neighbors table Displays an LLDP neighbors table Optional. Displays an LLDP neighbors table on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

lldp report detail on <DEVICE-OR-

DOMAIN-NAME>

Displays an LLDP neighbors table or aggregated LLDP neighbors table Displays an aggregated LLDP neighbors table detail Optional. Displays detailed aggregated LLDP neighbors table Note: If the on keyword is used without the detail keyword, the system displays LLDP neighbors table summary on the specified device or RF Domain. The following keyword is recursive and common to the report detail parameter:

on <DEVICE-OR-DOMAIN-NAME> Displays an aggregated LLDP neighbors table on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show lldp neighbors

-------------------------

Chassis ID: 00-18-71-D0-0B-00 System Name: TechPubs-ProCurve-Switch Platform: ProCurve J8697A Switch 5406zl, revision K.12.1X, ROM K.11.03 (/sw/code/

build/btm(sw_esp1)) Capabilities: Bridge Router Enabled Capabilities: Bridge Local Interface: ge1, Port ID(Port Description) (outgoing port): 5(A5) TTL: 113 sec Management Addresses: 192.168.13.40 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 99 SHOW COMMANDS 6.1.42 logging show commands Displays the networks activity log Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show logging {on <DEVICE-NAME>}

Parameters show logging {on <DEVICE-NAME>}

logging

{on <DEVICE-NAME>}

Displays logging information on a specified device on <DEVICE-NAME> Optional. Executes the command on a specified device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show logging Logging module: enabled Aggregation time: disabled Console logging: level debugging Monitor logging: disabled Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (1666269 bytes):

May 14 05:30:23 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundant May 14 05:30:13 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-

5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-

6DB5D4:ge1 May 14 05:20:16 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundant May 14 05:19:43 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-

5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-

380649:ge1

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 100 SHOW COMMANDS 6.1.43 mac-access-list show commands Displays MAC access list statistics NOTE: This command is not present in USER EXEC mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mac-access-list stats {<MAC-ACCESS-LIST-NAME>|on}

show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}

Parameters show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}

mac-access-list stats

<MAC-ACCESS-LIST> Optional. Displays statistics for a specified MAC access list. Specify the MAC access Displays MAC access list statistics on <DEVICE-NAME>

list name. Note: The system displays all configured ACL statistics if no ACL name is specified. Optional. Displays all or a specified MAC access list statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show mac-access-list stats scalemacacl | i 311 permit D0-67-E5-3F-C0-00 FF-FF-FF-FF-F0-00 host 00-1E-EC-F2-0A-76 rule-

precedence 311 Hitcount: 0 Hardware Hitcount: 0 nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 101 SHOW COMMANDS 6.1.44 mac-address-table show commands Displays MAC address table entries Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mac-address-table {on <DEVICE-NAME>}

Parameters show mac-address-table {on <DEVICE-NAME>}

mac-address-table on <DEVICE-NAME>

Displays MAC address table entries Optional. Displays MAC address table entries on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show mac-address-table

--------------------------------------------------------

BRIDGE VLAN PORT MAC STATE

--------------------------------------------------------

1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 3C-CE-73-F4-47-83 forward 1 1 up1 B4-C7-99-74-B4-5C forward

--------------------------------------------------------

Total number of MACs displayed: 15 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 102 SHOW COMMANDS 6.1.45 mac-auth show commands Displays details of wired ports that have MAC address authentication enabled Use this command to view MAC authentication configuration and authentication state. The command displays the current authentication state of the wired host, the authorization state of the Ge1 port, and the wired hosts MAC address. The port status displays as Authorized if the wired host has successfully authenticated and Not Authorized if the wired host has not authenticated or has failed MAC authentication. For more information on enabling MAC address authentication on a wired port, see mac-auth. Supported in the following platforms:

Access Points AP6511 Wireless Controllers RFS4000, RFS6000 Syntax show mac-auth {all|interface|on}

show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1

<1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}

Parameters show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1

<1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}

mac-auth all interface

[<INTERFACE-

NAME>|ge <1-5>|

port-channel <1-3>|

t1e1 <1-4>|up <1-2>|

xge <1-4>]

on <DEVICE-NAME>

Displays MAC authentication related information for all interfaces or all interfaces Optional. Displays MAC authentication related information for all interfaces Optional. Displays MAC authentication related information for a specified interface. Specify the interface using one of the following options:

<INTERFACE-NAME> Selects the interface identified by the <INTERFACE-NAME>

keyword ge <1-5> Selects the GigabitEthernet interface identified by the index number port-channel <1-3> Selects the port channel interface identified by the index number t1e1 <1-4> Selects the layer 2 interface (Ethernet port) up <1-2> Selects the WAN Ethernet interface identified by the index number xge <1-4> Selects the TenGigabitEthernet interface identified by the index number The following keywords are common to the all and interface parameters:

on <DEVICE-NAME> Optional. Displays MAC authentication related information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Note: When the on keyword is used exclusively, without the all and interface options, the system displays MAC authentication related information for interfaces configured on the specified device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 103 SHOW COMMANDS Example rfs4000-229D58(config)#show mac-auth all AAA-Policy is none Mac Auth info for interface GE1

-----------------------------------

Mac Auth Enabled Mac Auth Not Authorized Mac Auth info for interface GE2

-----------------------------------

Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface GE3

-----------------------------------

Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface GE4

-----------------------------------

Mac Auth Disabled Mac Auth Authorized Mac Auth info for interface GE5

-----------------------------------

Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface UP1

-----------------------------------

Mac Auth Disabled Mac Auth Not Authorized rfs4000-229D58(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 104 SHOW COMMANDS 6.1.46 mac-auth-clients show commands Displays MAC authenticated clients Supported in the following platforms:

Access Points AP6511 Wireless Controllers RFS4000, RFS6000 Syntax show mac-auth-clients [all|interface]

show mac-auth-clients all {on <DEVICE-NAME>}

show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-4>}

Parameters show mac-auth-clients all {on <DEVICE-NAME>}

mac-auth-clients all on <DEVICE-NAME>

Displays MAC authenticated clients based on the parameters passed. The options are: all and interface. Displays MAC authenticated clients for all interfaces Optional. Displays MAC authenticated clients for all interfaces on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-

4>}

mac-auth-clients interface

[<INF-NAME>|

ge <1-X>|

port-channel <1-2>|

xge <1-4>]

on <DEVICE-NAME>

Displays MAC authenticated clients based on the parameters passed. The options are: all and interface. Displays MAC authenticated clients for the specified interface. Select the interface type from the following options:

<INF-NAME> Optional. Displays MAC authenticated clients for the interface identified by the <INF-NAME> keyword. Specify the layer 2 (ethernet port) interface name. ge <1-X> Optional. Displays MAC authenticated clients for the selected GigabitEthernet interface. Specify the GE interface index from 1 - X. This will vary for different device types. port-channel <1-2> Optional. Displays MAC authenticated clients for the selected port channel interface. Specify the port channel interface index from 1 - 2. xge <1-4> Optional. Displays MAC authenticated clients for the selected TenGigabitEthernet interface. Specify the interface index from 1 - 4. Optional. Displays MAC authenticated clients for the specified interface on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 105 SHOW COMMANDS Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show mac-auth-clients interface ge 1

-----------------------------------------------

MAC STATE INTERFACE

-----------------------------------------------

-----------------------------------------------

Total number of MACs displayed: 0 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 106 SHOW COMMANDS 6.1.47 mint show commands Displays MiNT protocol related statistics Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mint [config|dis|id|info|known-adopters|links|lsp|lsp-db|mlcp|neighbors|

route|stats|tunnel-controller|tunneled-vlans]

show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on <DEVICE-

NAME>}

show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}

show mint lsp show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}

show mint mlcp {history} {(on <DEVICE-NAME>)}

Parameters show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on

<DEVICE-NAME>}

mint config id info known-adopters route stats tunneled-vlans on <DEVICE-NAME>

Displays MiNT protocol information based on the parameters passed Displays MiNT configuration Displays local MiNT ID Displays MiNT status Displays known, possible, or reachable adopters Displays MiNT route table details Displays MiNT related statistics Displays MiNT tunneled VLAN details The following keywords are common to all of the above parameters:

on <DEVICE-NAME> Optional. Displays MiNT protocol details on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}

mint dis links neighbors Displays MiNT protocol information based on the parameters passed Displays MiNT network Designated Intermediate Systems (DISes) and Ethernet Virtualization Interconnects (EVISes) Displays MiNT networking link details Displays adjacent MiNT peer details Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 107 SHOW COMMANDS tunnel-controller details

{(on <DEVICE-

NAME>)}

Displays details of MiNT VLAN network tunnel wireless controllers for extended VLAN load balancing The following keywords are common to the dis, links, neighbors, and tunnel-

controller parameters:

details Optional. Displays detailed MiNT information on <DEVICE-NAME> Optional. This is a recursive parameter, which displays MiNT information on a specified device.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show mint lsp mint lsp Displays MiNT protocol information based on the parameters passed Displays this router's MiNT Label Switched Paths (LSPs) show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}

mint lsp-db details

<MINT-ADDRESS>

on <DEVICE-NAME>

Displays MiNT protocol information based on the parameters passed Displays MiNT LSP database entries Optional. Displays detailed MiNT LSP database entries

<MINT-ADDRESS> Specify the MiNT address in the AA.BB.CC.DD format. The following keyword is recursive and common to the details parameter:

on <DEVICE-NAME> Optional. Displays MiNT LSP database entries on a specified device

<DEVICE-NAME> Specify the name of the AP or wireless controller show mint mlcp {history} {(on <DEVICE-NAME>)}

mint mlcp history on <DEVICE-NAME>

Displays MiNT protocol information based on the parameters passed This command displays the hello-interval and hold-time default values for both IP and VLAN links. Displays IPv4 and IPv6 MiNT Link Creation Protocol (MLCP) status Optional. Displays MLCP client history on <DEVICE-NAME> Optional. Displays MLCP client history on a specified device The following keyword is recursive and common to the history parameter:

on <DEVICE-NAME> Optional. Displays MLCP client history on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example nx9500-6C8809#show mint stats 9 Level-1 neighbors Level-1 LSP DB size 26 LSPs (4 KB) Last Level-1 SPFs took 0.000s Level-1 SPF (re)calculated 818 times. 26 Level-1 paths. 0 Level-2 neighbors Level-2 LSP DB size 0 LSPs (0 KB) Last Level-2 SPFs took 0.000s Level-2 SPF (re)calculated 0 times. 0 Level-2 paths. nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 108 SHOW COMMANDS nx9500-6C8809#show mint lsp id 19.6C.88.09, level 1, 9 adjacencies, 0 extended-vlans seqnum 1476782, expires in 29 minutes, republish in 1362 seconds 161 bytes, can-adopt: True, adopted-by: 00.00.00.00, dis-priority 5, Level-2-

gateway: False hostname "nx9500-6C8809"

cluster id "TechPubs"

rf-domain "TechPubs", priority vector: 0x60dc0000 adjacent to 4D.83.30.A4, cost 10 adjacent to 4D.84.A2.24, cost 10 adjacent to 19.74.B4.5C, cost 10 adjacent to 19.6D.CD.4B, cost 10 adjacent to 19.DD.31.C8, cost 10 adjacent to 4D.80.C2.AC, cost 10 adjacent to 4D.80.BF.34, cost 10 adjacent to 19.71.17.28, cost 10 adjacent to 70.81.74.2D, cost 10 nx9500-6C8809#

nx9500-6C8809#show mint lsp-db 26 LSPs in LSP-db of 19.6C.88.09:

LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 9 adjacencies, seqnum 1476782 LSP 19.6C.8A.49 at level 1, hostname "nx9500-6C8A49pp", 9 adjacencies, seqnum 67397 LSP 19.6D.CD.4B at level 1, hostname "rfs7000-6DCD4B", 9 adjacencies, seqnum 1143297 LSP 19.71.17.28 at level 1, hostname "ap8132-711728", 9 adjacencies, seqnum 837272 LSP 19.72.D4.F4 at level 1, hostname "ap650-72D4F4", 2 adjacencies, seqnum 107768 LSP 19.72.D5.44 at level 1, hostname "ap4600-72D544", 9 adjacencies, seqnum 10889 LSP 19.72.E6.C4 at level 1, hostname "ap6532-72E6C4", 2 adjacencies, seqnum 109985 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 9 adjacencies, seqnum 1659590 LSP 19.DD.31.C8 at level 1, hostname "rfs4000-DD31C8", 25 adjacencies, seqnum 1787045 LSP 1A.7C.D5.A4 at level 1, hostname "ap8222-7CD5A4", 9 adjacencies, seqnum 440488 LSP 1A.7E.79.E8 at level 1, hostname "ap8122-7E79E8", 9 adjacencies, seqnum 100282 LSP 1A.B1.9C.40 at level 1, hostname "ap7131-B19C40", 9 adjacencies, seqnum 95001 LSP 4D.80.BF.34 at level 1, hostname "Rajeev-AP", 9 adjacencies, seqnum 232516 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 9 adjacencies, seqnum 842369 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 9 adjacencies, seqnum 478482 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 9 adjacencies, seqnum 562219 LSP 4D.8A.15.C8 at level 1, hostname "AP1", 1 adjacencies, seqnum 92687 LSP 68.88.10.D1 at level 1, hostname "rfs4000-8810D1", 9 adjacencies, seqnum 115580 LSP 70.38.03.E7 at level 1, hostname "rfs7000-3803E7", 9 adjacencies, seqnum 947279 LSP 70.81.74.2D at level 1, hostname "rfs6000-81742D", 9 adjacencies, seqnum 487287 LSP 75.A2.A4.90 at level 1, hostname "ap7532-A2A490", 4 adjacencies, seqnum 181692 LSP 75.A2.A4.B0 at level 1, hostname "ap7532-A2A4B0", 4 adjacencies, seqnum 180804 LSP 75.A2.A5.54 at level 1, hostname "ap7532-A2A554", 4 adjacencies, seqnum 156084 LSP 75.A2.A5.6C at level 1, hostname "Snap004-AceessPoint", 4 adjacencies, seqnum 169181 LSP 75.D1.AA.7A at level 1, hostname "ap7622-D1AA7A", 9 adjacencies, seqnum 5471 LSP 75.D1.B2.68 at level 1, hostname "ap7602-D1B268", 9 adjacencies, seqnum 6054 nx9500-6C8809#

nx9500-6C8809#show mint route Destination : Next-Hop(s) 4D.84.A2.24 : 4D.84.A2.24 via vlan-1 1A.7C.D5.A4 : 19.DD.31.C8 via vlan-1 68.88.10.D1 : 19.DD.31.C8 via vlan-1 19.72.E6.C4 : 19.DD.31.C8 via vlan-1 75.A2.A5.54 : 19.DD.31.C8 via vlan-1 1A.B1.9C.40 : 19.DD.31.C8 via vlan-1 70.81.74.2D : 70.81.74.2D via vlan-1 19.6C.8A.49 : 19.DD.31.C8 via vlan-1 19.74.B4.5C : 19.74.B4.5C via vlan-1 19.6D.CD.4B : 19.6D.CD.4B via vlan-1 19.72.D5.44 : 19.DD.31.C8 via vlan-1 75.D1.AA.7A : 19.DD.31.C8 via vlan-1 75.A2.A4.B0 : 19.DD.31.C8 via vlan-1 19.71.17.28 : 19.71.17.28 via vlan-1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 109 SHOW COMMANDS 70.38.03.E7 : 19.DD.31.C8 via vlan-1 4D.80.C2.AC : 4D.80.C2.AC via vlan-1 19.6C.88.09 : 19.6C.88.09 via self 75.A2.A4.90 : 19.DD.31.C8 via vlan-1 1A.7E.79.E8 : 19.DD.31.C8 via vlan-1 19.DD.31.C8 : 19.DD.31.C8 via vlan-1 75.A2.A5.6C : 19.DD.31.C8 via vlan-1 19.72.D4.F4 : 19.DD.31.C8 via vlan-1 4D.83.30.A4 : 4D.83.30.A4 via vlan-1 4D.80.BF.34 : 4D.80.BF.34 via vlan-1 4D.8A.15.C8 : 19.DD.31.C8 via vlan-1 75.D1.B2.68 : 19.DD.31.C8 via vlan-1 nx9500-6C8809#

nx9500-6C8809#show mint known-adopters 19.6C.8A.49 nx9500-6C8809#

nx9500-6C8809#show mint known-adopters 19.6C.8A.49 nx9500-6C8809#

nx9500-6C8809#show min config Base priority 5 DIS priority 5 Control priority 220 UDP/IP Mint encapsulation port 24576 Global Mint MTU 1500 nx9500-6C8809#

ap7532-15E6E4#show mint mlcp MLCP VLAN state: MLCP_DONE Potential VLAN links: 1 All VLANs were scanned 2 times Link created on VLAN 1 MLCP IP state: MLCP_DISCOVERING Potential L3 Links:

192.168.1.43 MCLP IP Hello Interval: 15s(default), Adjacency hold time: 46s(default) MCLP VLAN Hello Interval: 4s(default), Adjacency hold time: 13s(default) ap7532-15E6E4#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 110 SHOW COMMANDS 6.1.48 nsight show commands Displays NSight related information and also displays the database server status (reachable or not) Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax show nsight status Parameters show nsight status nsight Example Displays the NSight module related status, such as:

NSight is enabled or not on the device NSight report and aggregation daemon is running or not NSight alarm daemon is running or not NSight server daemon is running or not Database server is reachable or not nx9500-6C8809(config)#show nsight status Nsight is enabled Nsight report and aggregation daemon is running Nsight alarm daemon is running Nsight server daemon is running Database server is local Database server is reachable nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 111 SHOW COMMANDS 6.1.49 ntp show commands Displays Network Time Protocol (NTP) information. NTP enables clock synchronization within a network. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ntp [associations|status]

show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]

Parameters show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]

ntp associations

{detail|on}

ntp status

{on <DEVICE-NAME>}

Displays existing NTP associations. The interaction between the controller or service platform and a SNTP server constitutes an association. SNTP associations are of two kinds:

- peer associations - where a controller or service platform synchronizes to another system or allows another system to synchronize to it, or

- server associations - where only the controller or service platform synchronizes to the SNTP resource, not the other way around. detail Optional. Displays detailed NTP associations on <DEVICE-NAME> Optional. Displays NTP associations on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Note: If the on keyword is used without the detail keyword, the system displays a summary of existing NTP associations on the specified device or RF Domain. Displays the performance (status) information relative to the NTP association status. Use this command to view the access point, controller, or service platforms current NTP resource. on <DEVICE-NAME> Optional. Displays NTP association status on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 112 SHOW COMMANDS Example nx9500-6C8809#show ntp associations

--------------------------------------------------------------------------------

-----------------------------------

STATUS NTP SERVER IP ADDR REF CLOCK IP ADDR STRATUM WHEN POLL REACH DELAY OFFSET DISPERSION

--------------------------------------------------------------------------------

-----------------------------------

~ 12.12.12.12 INIT 16 - 1024 0 0.0 0.0 15937.5

~ 11.11.11.11 INIT 16 - 1024 0 0.0 0.0 15937.5

--------------------------------------------------------------------------------

-------

STATUS Notation: * master (synced), # master (unsynced), + selected, - candidate,

~ configured nx9500-6C8809#

nx9500-6C8809#show ntp status

--------------------------------------------------------------------------------

ITEM VALUE

--------------------------------------------------------------------------------

Leap Clock is unsynchronized Stratum 16 Reference INIT Frequency 0.0000 Hz Precision 2^-20 Reference time 00000000.00000000 (Feb 07 11:58:16 UTC 2036) Clock Offset 0.000 msec Root delay 0.000 msec Root Dispersion 0.000 msec

--------------------------------------------------------------------------------

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 113 SHOW COMMANDS 6.1.50 password-encryption show commands Displays password encryption status (enabled/disabled) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show password-encryption status Parameters show password-encryption status password-encryption status Displays password encryption status (enabled/disabled) Example rfs6000-81742D(config)#show password-encryption status Password encryption is enabled rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 114 SHOW COMMANDS 6.1.51 pppoe-client show commands Displays Point-to-Point Protocol over Ethernet (PPPoE) client information Use this command to view PPPoE statistics derived from access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to an ISP over existing Ethernet interface. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show pppoe-client [configuration|status] {on <DEVICE-NAME>}

Parameters pppoe-client configuration status on <DEVICE-NAME>

show pppoe-client [configuration|status] {on <DEVICE-NAME>}

Displays PPPoE client information (configuration and status) Displays detailed PPPoE client configuration Displays detailed PPPoE client status The following keywords are common to configuration and status parameters:

on <DEVICE-NAME> Optional. Displays detailed PPPoE client status or configuration on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show pppoe-client configuration PPPoE Client Configuration:

+-------------------------------------------

| Mode : Disabled

| Service Name :

| Auth Type : pap

| Username :

| Password : fJx5O+5duPjaOaPuXmtLDQAAAAAmvgEXcQ1+eUK4ByHK4aRi

| Idle Time : 600

| Keepalive : Disabled

| Local n/w : vlan1

| Static IP : __wing_internal_not_set__

| MTU : 1492

+-------------------------------------------

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 115 SHOW COMMANDS 6.1.52 privilege show commands Displays a devices existing privilege level Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show privilege Parameters None Example rfs6000-81742D(config)#show privilege Current user privilege: superuser rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 116 SHOW COMMANDS 6.1.53 radius show commands Displays the amount of access time consumed and the amount of access time remaining for all guest users configured on a RADIUS server Every captive portal guest user can access the captive portal for a specified duration. This results in following three scenarios:

Scenario 1: Access duration not specified (in this case the default of 1440 minutes is applied) Scenario 2: Access duration is specified and is greater than 0 Scenario 3: Access duration is specified and equals to 0 (in this case the guest user has unlimited access) In all the three scenarios the access time consumed is the duration for which the guest user has logged. But the access time remaining varies. It is calculated as follows:

Scenarios 1 & 2 - It is the lesser of the following two values: difference between the configured access duration and the time consumed AND the time until user account expiration. Scenario 3 - It is the time until user account expiration Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show radius [guest-users|server]

show radius guest-users {brief|<GUEST-USER-NAME>}

show radius server Parameters show radius guest-users {brief|<GUEST-USER-NAME>}

radius guest-users

{brief|<GUEST-

USER-NAME>}

Displays RADIUS servers guest users access details: total time for which the user has logged in, and the amount of access time remaining. brief Displays the total number of guest users provided RADIUS access

<GUEST-USER-NAME> Optional. Provide the name of the guest user (whose access details are to be viewed). If no name is provided, the system displays details of all guest users who have successfully logged in at least once. Use this command in the captive-portal context to view time and data statistics for guest user(s) having bandwidth-based or time-based vouchers configured. In such a scenario, the system displays the following information: data configured, data remaining, configured and current bandwidths (for both downlink and uplink), time configured, and time remaining. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 117 SHOW COMMANDS If bandwidth-based voucher is not applicable to a guest user, the data configured and data remaining values are displayed as unlimited. The bandwidth columns are blank. If time-based voucher is not applicable to a guest user, the only value displayed is the time remaining (which is the time till the expiration of the guest users account). Note: For more information on configuring bandwidth-based and time-based vouchers, see user. show radius server show radius server Displays RADIUS server related statistical data Example rfs4000-229D58#show radius guest-users TIME (min:sec) USED REMAINING GUEST USER 0:00 9:00 time9 0:00 5:00 time5 0:00 15:00 time15 0:00 305416:35 notime 2:31 7:29 time10 rfs4000-229D58#

The following example shows a RADIUS user pool with guest users having bandwidth-based, time-

based, bandwidth and time based, and no bandwidth or time based vouchers:

rfs4000-229D58(config-captive-portal-wdws)#show context radius-user-pool-policy wdws user time_and_data password 0 both group wdws guest expiry-time 12:00 expiry-

date 12/31/2015 access-duration 8000 data-limit 500 committed-downlink 3000 committed-uplink 2000 reduced-downlink 1000 reduce4 user neither password 0 nine group wdws guest expiry-time 12:00 expiry-date 12/31/2015 user data_only password 0 data group wdws guest expiry-time 12:00 expiry-date 12/31/2015 data-limit 125 committed-downlink 1000 committed-uplink 800 reduced-downlink 500 reduced-uplink 400 rfs4000-229D58(config-captive-portal-wdws)#

The following example shows the captive portal access details for the above mentioned RADIUS user pool users:

rfs4000-229D58(config-captive-portal-wdws)#show radius guest-users TIME (DD:HH:MM:SS) DATA (kilobytes) BANDWIDTH (kbps) GUEST USER CONFIGURED REMAINING CONFIGURED REMAINING CFGD DN CURR DN CFGD UP CURR UP time_and_data 5:13:20:00 5:12:00:50 512000 433727 3000 0 2000 0 neither till expiry 221:19:44:54 unlimited unlimited data_only till expiry 221:19:44:54 128000 127587 1000 0 800 0 time_only 3:11:20:00 3:11:19:47 unlimited unlimited Current time: 17:15:07 rfs4000-229D58(config-captive-portal-wdws)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 118 SHOW COMMANDS 6.1.54 reload show commands Displays scheduled reload information for a specific device NOTE: This command is not present in the USER EXEC mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show reload {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show reload {on <DEVICE-OR-DOMAIN-NAME>}

reload

{on <DEVICE-OR-

DOMAIN-NAME>}

Displays scheduled reload information for a specified device on <DEVICE-OR-DOMAIN-NAME> Optional. Displays configuration on a specified device

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs6000-81742D(config)#show reload No reload is scheduled. rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 119 SHOW COMMANDS 6.1.55 rf-domain-manager show commands Displays RF Domain manager selection details Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}

rf-domain-manager on <DEVICE-OR-

DOMAIN-NAME>

Displays RF Domain manager selection details Optional. Displays RF Domain manager selection details on a specified device or domain

<DEVICE-OR-DOMAIN-NAME> specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show rf-domain-manager RF Domain TechPubs RF Domain Manager:

ID: 19.6C.88.09 Controller Managed Device under query:

Priority: 220 Has IP MiNT links Has wired MiNT links nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 120 SHOW COMMANDS 6.1.56 role show commands Displays role based firewall information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show role [ldap-stats|wireless-clients]

show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}

Parameters show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}

role ldap-stats role wireless-clients on <DEVICE-NAME>

Displays LDAP server status and statistics Displays clients associated with roles The following parameters are common to the ldap-stats and wireless-clients keywords:

on <DEVICE-NAME> Optional. Displays clients associated with roles on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, and service platform. Example nx9500-6C8809(config)#show role wireless-clients No ROLE statistics found. nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 121 SHOW COMMANDS 6.1.57 route-maps show commands Displays route map statistics for defined device routes Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show route-maps {on <DEVICE-NAME>}

Parameters show route-maps {on <DEVICE-NAME>}

route-maps on <DEVICE-NAME>

Displays configured route map statistics for all defined routes For more information on route maps, see route-map. Optional. Displays route map statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809(config)#show route-maps nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 122 SHOW COMMANDS 6.1.58 rtls show commands Displays Real Time Location Service (RTLS) statistics for access points contributing locationing information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

Parameters show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

rtls aeroscout ekahau omnitrail

<MAC/HOSTNAME>

on <DEVICE-OR-

DOMAIN-NAME>

Displays access point RTLS statistics Displays access point Aeroscout statistics Displays access point Ekahau statistics Displays access point Omnitrail statistics Optional. Displays Aeroscout or Ekahau statistics for a specified access point. Specify the MAC address or hostname of the access point. The following keyword is recursive and common to Aeroscout and Ekahau parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays Aeroscout or Ekahau statistics on a specified device or domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58(config)#show rtls aeroscout Aeroscout Engine IP: 0.0.0.0 Port: 0 Send Count : 0 Recv Count : 0 Tag Reports : 0 Nacks : 0 Acks : 0 Lbs : 0 AP Status : 0 AP Notif : 0 Send Err : 0 Errmsg Count : 0 Total number of APs displayed: 1 rfs4000-229D58(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 123 SHOW COMMANDS ap8533-84A224##show rtls omnitrail Engine IP: 157.235.90.41 Control Port: 8890 Otls 2.4 GHz Engine status: CONNECTED Otls 5 GHz Engine status: CONNECTED Data Port configured for forwarding 2.4GHz Radio detected beacons: 8888 Data Port configured for forwarding 5GHz Radio detected beacons:8889 Heart beats sent for 2.4GHz Port : 1 Heart beats sent for 5GHz Port : 0 Beacon tags received on 2.4GHz Radio and forwarded: 6883 Beacon tags received on 5GHz Radio and forwarded: 0 Beacon tags received on Sensor Radio (2.4GHz Band) and forwarded: 5187 Beacon tags received on Sensor Radio (5Ghz Band) and forwarded: 0 Total number of APs displayed: 1 ap8533-84A224#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 124 SHOW COMMANDS 6.1.59 running-config show commands Displays configuration files (where all configured MAC and IP access lists are applied to an interface) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show running-config {aaa-policy|application|application-group|

application-policy|association-acl-policy|auto-provisioning-policy|

captive-portal-policy|device|database-client-policy|database-policy|device|

device-overrides|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-

policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|exclude-devices|

firewall-policy|flag-unwritten-changes|guest-management-policy|hide-encrypted-

values|include-factory|interface|ip-access-list|ipv6-access-list|mac-access-

list|management-policy|meshpoint|nsight-policy|profile|radio-qos-policy|

rf-domain|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-

policy|url-filter|url-list|web-filter-policy|wlan|wlan-qos-policy}

show running-config {aaa-policy|application-policy|association-acl-policy|auto-

provisioning-policy|captive-portal-policy|database-client-policy|database-

policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-

qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-

policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|

rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-

policy} <POLICY-NAME> {include-factory}

show running-config {flag-unwritten-changes}

show running-config {application <APPLICATION-NAME>|application-group

<APPLICATION-GROUP-NAME>}

show running-config exclude-devices show running-config {device [<MAC>|self]} {include-factory}

show running-config {device-overrides {brief}}

show running-config {hide-encrypted-values {exclude-devices|include-factory}}

show running-config {include-factory}

show running-config {interface} {<INTERFACE-NAME>|ge|include-factory|me|port-

channel|pppoe1|vlan|wwan1}

show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-

factory|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}

show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-

ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}

show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}

show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|

ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|

ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>}

{include-factory}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 125 SHOW COMMANDS show running-config {rf-domain <DOMAIN-NAME>} {include-factory}

show running-config {wlan <WLAN-NAME>} {include-factory}

show running-config url-filter <URL-FILTER-NAME>

show running-config url-list <URL-LIST-NAME> {include-factory}

Parameters show running-config {flag-unwritten-changes}

running-config flag-unwritten-

changes Flags unsaved changes in the show > running-config command output. Optionally use the flag-unwritten-changes keyword to view changes that have been committed but not saved in the startup configuration. When used, all unsaved changes are marked with a === marker, as shown in the following show > running-config > flag-

unwritten-changes output:

nx9500-6C8809(config)#show running-config flag-unwritten-

changes

!

! Configuration of NX9500 version 5.9.1.0-017D

!

!

version 2.5

!

!

client-identity-group default load default-fingerprints

!

client-identity-group test2 load default-fingerprints

!

===alias encrypted-string $WRITE 2 o5gA2zqj/q/

REWi8rTa7vQAAAAh4yA1YNBjqTVf4mMBsGA4i

!

===alias encrypted-string $enAlias2 2 JI4lPuMaCdMMx7rfBeyIAwAAAAoZ6tR1FfTlFXWvSicTMVZc

!

--More--

nx9500-6C8809(config)#

Execute the write > memory command to save these changes. show running-config {aaa-policy|application-policy|association-acl-policy|

auto-provisioning-policy|captive-portal-policy|database-client-policy|database-

policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-

qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-

policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|

rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-

policy} <POLICY-NAME> {include-factory}

running-config

<POLICY-TYPE>

<POLICY-NAME>

Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. Note: If the command is executed without a keyword, the system displays the entire running configuration. Optional. Select the policy type, for example, aaa-policy, auto-provisioning-policy, captive-portal-policy, etc. and then specify the policy name. The system displays the selected policys configuration.

<POLICY-NAME> Specify the name of the policy (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 126 SHOW COMMANDS include-factory The following keyword is common to all policies:

include-factory Optional. Includes factory defaults show running-config {application <APPLICATION-NAME>|apllication-group

<APPLICATION-GROUP-NAME>}

running-config application

<APPLICATION-

NAME>

application-group

<APPLICATION-

GROUP-NAME>

Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Displays an applications configuration. The application can be system-provided or user-defined.

<APPLICATION-NAME> Specify the application name (should be existing). Displays an application-groups configuration

<APPLICATION-GROUP-NAME> Specify the application-group name (should be existing and configured). show running-config {device [<MAC>|self]} {include-factory}

running-config device [<MAC>|self]

Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Optional. Displays device configuration

<MAC> Displays a specified device configuration. Specify the MAC address of the device. include-factory self Displays the logged devices configuration The following keyword is common to the <MAC> and self parameters:

Optional. Displays factory defaults show running-config {hide-encrypted-values {exclude-devices|include-factory}}

running-config hide-encrypted-values

{exclude-

devices|include-

factory}

Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Optional. Replaces all encrypted passwords with the standard characters ****** in the show > running-config output exclude-devices Optional. Excludes devices from the running configuration displayed include-factory Optional. Includes factory default values in the running configuration displayed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 127 SHOW COMMANDS show running-config {device-overrides {brief}}

running-config device-overrides brief Optional. Displays overrides applied at the devices configuration Displays current running configuration brief Optional. Displays a brief summary of device overrides show running-config {exclude-devices}

running-config exclude-devices Displays current running configuration Optional. Excludes device configuration details from the running configuration displayed show running-config {include-factory}

running-config include-factory Displays current running configuration Optional. Includes factory defaults show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|

me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}

running-config interface

<INTERFACE-NAME> Optional. Displays a specified interface configuration. Specify the interface name. ge <1-4>

Displays current running configuration Optional. Displays interface configuration me1 port-channel <1-2>

pppoe1 vlan <1-4094>

wwan1 include-factory Optional. Displays GigabitEthernet interface configuration

<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Displays FastEthernet interface configuration Optional. Displays port channel interface configuration

<1-2> Specify the port channel interface index from 1 - 2. Optional. Displays PPP over Ethernet interface configuration Displays VLAN interface configuration

<1-4094> Specify the VLAN interface number from 1 - 4094. Optional. Displays Wireless WAN interface configuration The following keyword is common to all interfaces:

Optional. Includes factory defaults show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list

<IPv6-ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}

running-config

<ACL-TYPE>

<IP/IPv6/MAC-ACL-

NAME>

Displays current running configuration Optionally, you can execute the command along with one of the associated keywords to view the running configuration for that top-level object. To view a access-list and its configuration, specify the ACL type and provide the ACL name. Note: If the command is executed without a keyword, the system displays the entire running configuration. Optional. Select the ACL type, for example, ip-access-list, ipv6-access-list, or mac-

access-list, and then specify the ACL name. The system displays the selected ACLs configuration.

<IP/IPv6/MAC-ACL-NAME> Specify the name of the ACL (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 128 SHOW COMMANDS include-factory The following keyword is common to the ip-access-list and mac-access-list parameters:

Optional. Includes factory defaults show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}

include-factory running-config meshpoint

<MESHPOINT-NAME>

Displays current running configuration Optional. Displays meshpoint configuration

<MESHPOINT-NAME> Specify the meshpoint name Optional. Includes factory defaults along with running configuration details show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|

ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|

ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>}

{include-factory}

running-config profile

<DEVICE-TYPE>

<PROFILE-NAME>

include-factory Displays current running configuration Optional. Displays current configuration for a specified profile. Select the device type, and then specify the profile name.

<DEVICE-TYPE> Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.

<PROFILE-NAME> Specify the profile name for the selected <DEVICE-TYPE>. Note: Select the anyap option to view the running configuration of any type of device. Optional. This parameter is common to all profiles. When selected, it includes factory defaults in the output. show running-config {rf-domain <DOMAIN-NAME>} {include-factory}

running-config rf-domain <DOMAIN-

NAME>

Displays current running configuration Optional. Displays current configuration for a RF Domain

<DOMAIN-NAME> Displays current configuration for a specified RF Domain. include-factory Optional. Includes factory defaults Specify the RF Domain name. show running-config {wlan <WLAN-NAME>} {include-factory}

running-config wlan <WLAN-NAME> Optional. Displays current configuration for a WLAN Displays current running configuration

<WLAN-NAME> Displays current configuration for a specified WLAN. Specify the WLAN name. include-factory Optional. Includes factory defaults show running-config url-filter <URL-FILTER-NAME>

running-config url-filter <URL-FILTER-

NAME>

Displays current running configuration Optional. Displays current configuration for the URL filter identified by the <URL-

FILTER-NAME> keyword

<URL-FILTER-NAME> Specify the URL filters name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 129 SHOW COMMANDS show running-config url-list <URL-LIST-NAME> {include-factory}

running-config url-list <URL-LIST-

NAME>

include-factory Displays current running configuration Optional. Displays current configuration for the URL list identified by the <URL-LIST-

NAME> keyword

<URL-FILTER-NAME> Specify the URL lists name. Optional. Includes factory defaults Example rfs6000-81742D#show running-config device self

!

version 2.5

!

!

ip snmp-access-list default permit any

!

firewall-policy default no ip dos tcp-sequence-past-window

!

!

mint-policy global-default

!

!

management-policy default no telnet no http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all

--More--

rfs6000-81742D#

rfs6000-81742D#show running-config profile ap81xx default-ap81xx profile ap81xx default-ap81xx autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface radio1 interface radio2 interface radio3 interface ge1

--More--

rfs6000-81742D#

nx9500-6C8809#show running-config url-filter URL_FILTER_Shopping include-factory url-filter URL_FILTER_Shopping no description blacklist category-type p2p precedence 20 description description blacklist category-type news-sports-general category shopping precedence 10 description description blockpage path internal blockpage internal org-name Your Organization Name Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 130 SHOW COMMANDS blockpage internal org-signature Your Organization Name, All Rights Reserved. blockpage internal title This URL may have been filtered. blockpage internal header The requested URL could not be retrieved. blockpage internal footer If you have any questions please contact your IT department. blockpage internal content The site you have attempted to reach may be considered inappropriate for access. no blockpage internal main-logo no blockpage internal small-logo no blockpage external nx9500-6C8809#

nx9500-6C8809#show running-config url-list AllowedShopping url-list AllowedShopping url ebay.com depth 10 url amazon.com depth 10 nx9500-6C8809#

nx9500-6C8809#show running-config application Bing application Bing app-category streaming use url-list Bing nx9500-6C8809#

nx9500-6C8809#sho running-config application-group amazon application-group amazon application amazon_cloud application amazon_shop application amazon-prime-music application amazon-prime-video nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 131 SHOW COMMANDS 6.1.60 session-changes show commands Displays configuration changes made in the current session Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show session-changes Parameters None Example rfs6000-81742D(config)#show session-changes No changes in this session rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 132 SHOW COMMANDS 6.1.61 session-config show commands Lists active open sessions on a device Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show session-config {exclude-devices|include-factory}

Parameters show session-config {exclude-devices|include-factory}

session-config

{exclude-devices|

include-factory}

Displays current session configuration exclude-devices Optional. Excludes device configuration details from the output include-factory Optional. Includes factory defaults Example nx9500-6C8809(config)#show session-config

!

! Configuration of NX9500 version 5.9.1.0-017D

!

!

version 2.5

!

!

client-identity-group default load default-fingerprints

!

ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"

permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"

deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description

"deny windows netbios"

deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"

deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"

permit ip any any rule-precedence 100 rule-description "permit all IP traffic"

!

mac access-list PERMIT-ARP-AND-IPv4 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 tra

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 133 SHOW COMMANDS 6.1.62 sessions show commands Displays CLI sessions initiated on a device Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show sessions all {on <DEVICE-NAME>}

Parameters show sessions all {on <DEVICE-NAME>}

sessions all on <DEVICE-NAME> Optional. This is a recurring keyword and is common to the all parameter. Displays Displays CLI sessions initiated on a device Displays all sessions including internal CLI sessions on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show sessions INDEX COOKIE NAME START TIME FROM ROLE 1 2 snmp 2017-06-02 14:31:23 127.0.0.1 superuser 2 3 snmp2 2017-06-02 14:31:23 127.0.0.1 superuser 3 18 admin 2017-06-06 10:38:36 192.168.13.17 superuser nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 134 SHOW COMMANDS 6.1.63 site-config-diff show commands Displays the difference in site configuration available on the NOC and a site. The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. NOC controllers possess default site configuration details. Overrides applied at the site level result in a mismatch of configuration at the site and the default site configuration available on the NOC controller. Use this command to view this difference. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show site-config-diff <SITE-NAME>

Parameters show site-config-diff <SITE-NAME>

site-config-diff

<SITE-NAME>

Displays the configuration difference for the specified site

<SITE-NAME> Specify the site name. Example nx9500-6C874D#show site-config-diff 5C-0E-8B-18-06-F4

---- Config diff for switch 5C-0E-8B-18-06-F4 ----

rfs6000 5C-0E-8B-18-06-F4 interface pppoe1 no shutdown nx9500-6C874D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 135 SHOW COMMANDS 6.1.64 smart-rf show commands Displays Self-Monitoring At Run Time (Smart RF) statistical history to assess adjustments made to device configurations to compensate for detected coverage holes or device failures When invoked by an administrator, Smart RF instructs access point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RF Domain member access point radio should be reachable by at least one other radio. Smart RF records signals received from its neighbors as well as signals from external, un-managed radios. AP-to-AP distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show smart-rf [ap|channel-distribution|history|history-timeline|interfering-ap|

interfering-neighbors|radio]

show smart-rf ap {<MAC>|<DEVICE-NAME>|activity|energy|neighbors|on <DOMAIN-NAME>}

show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}

show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-

NAME>)}

show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}

show smart-rf radio {<MAC>|activity|all-11an|all-11bgn|channel|energy|neighbors|

on <DOMAIN-NAME>}

show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}

show smart-rf radio {activity|neigbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-

NAME>}

show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|

threshold <50-100>}

Parameters show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}

smart-rf ap

<MAC>

Displays Smart RF related information Displays access point related Smart RF information Optional. Uses MAC addresses to identify access points. Displays all access points, if no MAC address is specified. Optional. Uses an administrator defined name to identify an access point

<DEVICE-NAME>

on <DOMAIN-NAME> Optional. Displays access point details on a specified RF Domain

<DOMAIN-NAME> Specify the domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 136 show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-

NAME>)}

SHOW COMMANDS smart-rf ap activity energy neighbors

{<MAC>|

<DEVICE-NAME>}

Displays Smart RF related information Displays AP related Smart RF information Optional. Displays Smart RF activity related information Use this option to view the following:

Time-period Lists the frequency Smart RF activity is trended for the RF Domain. Trending periods include the current hour, last 24 hours, or the last seven days. Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods. Power changes Displays the number of Smart RF initiated power level changes needed for RF Domain member devices during each of the three trending periods. Determine whether power compensations were relegated to known device outages or if compensations were consistent over the course of a day or week. Channel changes Lists the number of Smart RF initiated channel changes needed for RF Domain member devices during each of the three trending periods. Determine if channel adjustments were relegated to known device count increases or decreases over the course of a day or week. Coverage changes Displays the number of Smart RF initiated coverage changes needed for RF Domain member devices during each of the three trending periods. Determine if coverage changes were relegated to known device failures or known periods of interference over the course of a day or week. Optional. Displays AP energy for a specified AP or all APs Use this option to view an RF Domain member access points operating channels, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing access points. Optional. Displays AP neighbors Use this option to view attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. The following keywords are common to all of the above parameters:

<MAC> Displays all of the above mentioned information for a specified AP, identified by its MAC address. Specify the APs MAC address.

<DEVICE-NAME> Displays all of the above mentioned information for a specified AP, identified by its hostname. Specify the APs hostname. on <DOMAIN-NAME> Optional.Displays access point details on a specified RF Domain

<DOMAIN-NAME> Specify the domain name. show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-

NAME>}

smart-rf channel-distribution Displays Smart RF related information Displays Smart RF channel distribution information. This provides an overview of how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 137 SHOW COMMANDS history history-timeline on <DOMAIN-NAME>

Displays Smart RF calibration history Use this option to view description and types of Smart RF events impacting RF Domain member devices. Displays extended Smart RF calibration history on an hourly or daily timeline Use this option to view the time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain. The following keyword is common to all of the above parameters:

on <DOMAIN-NAME> Optional. Displays Smart RF configuration, based on the parameters passed, on a specified RF Domain on <DOMAIN-NAME> Specify the RF Domain name. show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}

smart-rf radio

<MAC>

all-11an all-11bgn energy {<MAC>}

Displays Smart RF related information Displays radio related commands Optional. Displays details of a specified radio. Specify the radios MAC address in the AA-BB-CC-DD-EE-FF format. Optional. Displays all 11a radios currently in the configuration Optional. Displays all 11bg radios currently in the configuration Optional. Displays radio energy

<MAC> Optional. Specify the radios MAC address in the AA-BB-CC-DD-EE-FF format. Use this option to view an RF Domain member access point radios operating channel, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios. on <DOMAIN-NAME> The following keyword is common to all of the above parameters:

on <DOMAIN-NAME> Optional. Displays radio details on a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. show smart-rf radio {activity|neighbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-

NAME>}

smart-rf radio activity

<MAC>

Displays Smart RF related information Displays Smart RF radio related commands Optional. Displays changes related to radio power, number of radio channels, or coverage holes. Use additional filters to view specific details. Optional. Displays radio activity for a specified radio

<MAC> Specify the radios MAC address. Optional. Displays radio activity of all 11a radios in the configuration Optional. Displays radio activity of all 11bg radios in the configuration all-11an all-11bgn on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}

smart-rf interfering-ap Displays Smart RF related information Displays interfering access points (requiring potential isolation) information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 138 SHOW COMMANDS

<MAC>

<DEVICE-NAME>

Optional. Displays information of a specified interfering access point

<MAC> Specify the access points MAC address. Note: Considers all APs if this parameter is omitted Optional. Displays interfering access point information on a specified device

<DEVICE-NAME> Specify the device name. Note: Considers all APs if this parameter is omitted on <DOMAIN-NAME> Optional. Displays all interfering access point information within a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|

threshold <50-100>}

smart-rf interfering-ap

<MAC>

<DEVICE-NAME>

threshold <50-100>

Displays Smart RF related information Displays interfering neighboring access point information Optional. Displays interfering neighboring access point information

<MAC> Specify the access points MAC address. Considers all APs if this parameter is omitted Optional. Displays all interfering neighboring access point information on a specified device

<DEVICE-NAME> Specify the device name. Considers all APs if this parameter is omitted Optional. Specifies the maximum attenuation threshold of interfering neighbors.

<50-100> Specify a value from 50 -100 dB. Attenuation is a measure of the reduction of signal strength during transmission. Attenuation is the opposite of amplification, and is normal when a signal is sent from one point to another. If the signal attenuates too much, it becomes unintelligible. Attenuation is measured in decibels. on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain

<DOMAIN-NAME> Specify the RF Domain name. Example rfs6000-81742D(config)#show smart-rf calibration-status No calibration currently in progress rfs6000-81742D(config)#

rfs6000-81742D(config)#show smart-rf history

--------------------------------------------------------------------------------

-------

TIME EVENT DESCRIPTION

--------------------------------------------------------------------------------

-------

--------------------------------------------------------------------------------

-------

Total number of history entries displayed: 0 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 139 SHOW COMMANDS 6.1.65 spanning-tree show commands Displays spanning tree utilization information Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show spanning-tree mst {configuration|detail|instance|on <DEVICE-NAME>}

show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}

show spanning-tree mst {detail} {interface|on}

show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-

channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}

show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on

<DEVICE-NAME>)}

Parameters show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}

spanning-tree mst configuration

{on <DEVICE-

NAME>}

Displays spanning tree utilization information Displays Multiple Spanning Tree (MST) related information Optional. Displays MST configuration on <DEVICE-NAME> Optional. Displays MST configuration on a specified device

<DEVICE-NAME> Specify the name of the AP or wireless controller. Note: If the on keyword is used without any of the other options, the system displays a summary of spanning tree utilization information on the specified device. show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-

channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}

spanning-tree mst detail interface

[<INTERFACE>|

ge <1-4>|me1|

port-channel <1-2>|

pppoe1|

vlan <1-4094>

wwan1]

Displays spanning tree information Displays MST configuration Optional. Displays detailed MST configuration, based on the parameters passed Displays detailed MST configuration for a specified interface

<INTERFACE> Displays detailed MST configuration for a specified interface. Specify the interface name. ge <1-4> Displays GigabitEthernet interface MST configuration

<1-4> Select the GigabitEthernet interface index from 1 - 4. me1 Displays FastEthernet interface MST configuration port-channel Displays port channel interface MST configuration

<1-2> Select the port channel interface index from 1 - 2. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 140 SHOW COMMANDS on <DEVICE-NAME>

pppoe1 Displays PPP over Ethernet interface MST configuration vlan Displays VLAN interface MST configuration

<1-4094> Select the SVI VLAN ID from 1 - 4094. wwan1 Displays Wireless WAN interface MST configuration The following keyword is common to all interfaces:

on <DEVICE-NAME> Optional. Displays detailed MST configuration on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on

<DEVICE-NAME>)}

spanning-tree mst instance <1-15>

interface

<INTERFACE-NAME>

Displays spanning tree information Displays MST configuration. Use additional filters to view specific details. Optional. Displays information for a particular MST instance

<1-15> Specify the instance ID from 1 - 15. Optional. Displays MST configuration for a specific interface instance. The options are:

<INTERFACE-NAME> Displays MST configuration for a specified interface. Specify on <DEVICE-NAME> Optional. Displays MST configuration on a specified device the interface name.

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show spanning-tree mst configuration

%%

% MSTP Configuration Information for bridge 1 :

%%------------------------------------------------------

% Format Id : 0

% Name : My Name

% Revision Level : 0

% Digest : 0xac36177f50283cd4b83821d8ab26de62

%%------------------------------------------------------

rfs6000-81742D#

rfs6000-81742D#show spanning-tree mst detail interface ge 1

% Bridge up - Spanning Tree Disabled

% CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768

% Forward Delay 15 - Hello Time 2 - Max Age 20 - Max hops 20

% 1: CIST Root Id 800000157081742e

% 1: CIST Reg Root Id 800000157081742e

% 1: CIST Bridge Id 800000157081742e

% portfast bpdu-filter disabled

% portfast bpdu-guard disabled

% portfast portfast errdisable timeout disabled

% portfast errdisable timeout interval 300 sec

% cisco interoperability not configured - Current cisco interoperability off

% ge1: Port 2001 - Id 87d1 - Role Disabled - State Forwarding

% ge1: Designated External Path Cost 0 - Internal Path Cost 0

%

--More--

rfs6000-81742D#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 141 SHOW COMMANDS 6.1.66 startup-config show commands Displays complete startup configuration script Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show startup-config {include-factory}

Parameters show startup-config {include-factory}

startup-config include-factory Displays startup configuration script include-factory Optional. Includes factory defaults Example nx9500-6C8809#show startup-config

!

! Configuration of NX9500 version 5.9.1.0-017D

!

!

version 2.5

!

password-encryption-version 1.0 inline-password-encryption password-encryption-key secret 2 2cd258b63fa0e16a753394d779cbc5a20000002065d2c29edf373ed42131fa410426d5cb8b0296ff ea49331cb72e122e421acc9c

!

client-identity-group default load default-fingerprints

!

client-identity-group test2 load default-fingerprints

!

alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24

!

alias network $NetworkAlias 192.168.13.0/24

!

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 142 SHOW COMMANDS 6.1.67 t5 show commands Displays adopted T5 controller statistics Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7510, NX7520, NX9500, NX9510, NX9600, VX9000 NOTE: This command is applicable only on WiNG controllers with adopted and managed T5 controllers. Syntax show t5 [boot|clock|cpe|interface|mac|system|temperature|uptime|version|

wireless] {on <T5-DEVICE-NAME>}

show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}

show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version] {on

<T5-DEVICE-NAME>}

show t5 interface [dsl|fe|ge|radio]

show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization] {on

<T5-DEVICE-NAME>}

show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses] {on <T5-DEVICE-

NAME>}

show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}

show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>] {on

<T5-DEVICE-NAME>}]

show t5 wireless [client|wlan]

show t5 wireless client {filter name [association-status|authentication-

status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}

show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}

Parameters show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}

t5 boot clock system temperature uptime Displays adopted T5 controller statistics Displays the T5 devices boot details. Use this option to view the primary and secondary image files available to use for booting up. Displays the T5 controllers system time, as reported from the controller itself or its remote NTP time resource Displays T5 controllers system information, which includes the T5 controllers hostname, MAC address, RF Domain, system clock, uptime Displays T5 controllers current temperature Displays the T5 controllers uptime (the time it has been actively deployed and operational) Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 143 SHOW COMMANDS version on <T5-DEVICE-

NAME>

Displays the T5 controllers primary and secondary firmware images Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version]

{on <T5-DEVICE-NAME>}

t5 cpe address boot ether port status led reset system uptime version on <T5-DEVICE-

NAME>

Displays adopted T5 controller statistics Displays the T5 controller managed Customer Premises Equipment (CPE) statistics based on the parameters passed. Use this command to verify each CPE address credentials and whether currently disconnected or ready for radio coverage area support. Displays each linked CPE's current IP address used as its network identifier Displays the primary and secondary firmware versions available to each CPE, along with status of the most recent upgrade operation details Displays Ethernet port status Displays whether the CPEs currently have their LEDs enabled or disabled. In places like hospitals, its not uncommon for access points to be operational, but their LEDs off as to not disturb patients. Displays the number times a CPE has been reset Displays device hardware and SKU information for each CPE. Use this information to assess whether a controller is managing the correct CPE devices out of the total number of CPEs available. Displays the time each CPE device has been actively deployed and operational Displays the application and boot versions utilized by the CPE devices Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization]

{on <T5-DEVICE-NAME>}

t5 interface

[dsl|fe|ge|radio]

[counter|description|

errors|status|

utilization]

Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Select the interface type. The options are: dsl, fe, ge. dsl Displays Digital Subscriber Line (DSL) interface related information fe Displays Fast Ethernet (FE) interface related information ge Displays Gigabit Ethernet (GE) interface related information The system displays the following information for the DSL, GE, and FE ports:

counter Displays the following:

Number of octets (bytes) received and transmitted on this port Number of data packets received and transmitted on this port Number of flow control (layer 2) packets received and transmitted on this port Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 144 contd.. description Displays the following:

SHOW COMMANDS The selected ports name The numeric index assignable to each port The 64 character maximum, unique, administrator-assigned description to each port errors Displays the following DSL interface related errors:

The name of the DSL utilized by each T5 controller connected CPE device. The number of FECs detected in the downstream direction. Forward Error Correction (FEC) or channel coding is used for controlling errors over unreliable or noisy communication channels. The number of CPE DSL coding violations (badly coded packets) detected in the downstream direction. The number of FECs detected in the upstream direction. The number of CPE DSL coding violations (badly coded packets) detected in the upstream direction. status Displays the following:

The selected ports name Whether the port is currently up or down as a T5 controller transmit and receive resource The port's current speed in MB Whether pause packet utilization is currently off or on for the selected port Whether each listed port is enabled or disabled by the administrator utilization Displays the following:

The selected ports name The ports receive and transmit data rates (in Kbps) The packet per second port receive and transmit rates (p/s) Each port's receive and transmit direction utilization as a percentage of the total transmit bandwidth available. on <T5-DEVICE-

NAME>

Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses]

{on <T5-DEVICE-NAME>}

t5 interface dsl Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Selects A T5 controllers DSL interface. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 145 SHOW COMMANDS custom

[avg|dses|dsses|peak|u ses|usses]

Displays following custom CPE DSL data:

avg Each DSL's average response time in microseconds dses The number of seconds downstream DSL transmissions were negatively impacted by code violations. dsses The number of seconds downstream DSL transmissions were severely negatively impacted by code violations. peak Each DSL's maximum (best to date since the screen was refreshed) response time in microseconds. uses The number of seconds upstream DSL transmissions were negatively impacted by code violations. usses The number of seconds upstream DLS transmissions were severely negatively impacted by code violations. on <T5-DEVICE-

NAME>

Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}

t5 interface radio

[stats|status|

wlan-map]

Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Displays following radio interface related information:

stats Displays T5 radio interface statistics. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. Use this option to view the following:

name The administrator assigned name of each listed CPE radio as its unique identifier Rx (Kbps) The listed CPE radio's receive data rate (in Kbps). Use this information to assess RF activity versus other T5 managed CPE radios in the same radio cover-

age area. Rx Octets The number of octets (bytes) received with no errors by the listed T5 controller managed CPE radio. Rx Packets The number of data packets received for the listed T5 managed CPE radio since this screen was last refreshed. Tx (Kbps) The listed CPE radio's transmit data rate (in Kbps). Use this informa-

tion to assess RF activity versus other T5 managed CPE radios in the same radio coverage area. Tx Octets Displays the number of octets (bytes) transmitted with no errors by the listed T5 controller managed CPE radio. Tx Packets The number of data packets transmitted from the listed T5 managed CPE radio since this screen was last refreshed. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 146 SHOW COMMANDS contd.. status Displays T5 radio interface status information name The administrator assigned name of each listed CPE radio as its unique identifier. Operational status The radio interfaces operational status (enabled/disabled). mac The T5 radio interface's MAC address. transmit power The T5 radio interfaces transmit power. Channel The T5 radio interfaces channel of operation. wlan-map Displays WLAN map membership data for T5 controller managed CPE radio devices. Use this option to view the following:

name The administrator assigned name of each listed CPE radio as its unique identifier. status Whether a CPE radio is currently enabled or disabled as a radio resource for the WLAN(s) the CPE radio has been mapped to. wlan-radio-mapping The managed WLAN(s) each listed radio has been mapped to. on <T5-DEVICE-

NAME>

Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>]

{on <T5-DEVICE-NAME>}

t5 mac table

[dsl<1-24>|ge <1-2>|

vlan <1-4094>|

wlan <1-24>]

on <T5-DEVICE-

NAME>

Displays adopted T5 controller statistics Displays T5 MAC address table. The T5 MAC table displays a dynamic list of MAC addresses learned by the T5 controller over its ethernet interfaces. Use this information to identify devices and the interfaces on which they can be found. Use the following additional filters to filter on the basis of the VLAN or DSL interface:

dsl <1-24> Filters information on the basis of the selected DSL port ge <1-2> Filters information on the basis of the selected GE port vlan <1-4094 Filters information on the basis of the selected VLAN port wlan <1-24> Filters on the basis of the selected CPE Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 wireless client {filter name [association-status|authentication-

status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}

t5 wireless client Displays adopted T5 controller statistics Displays the T5 wireless client and WLAN related statistics client Displays read-only device information for wireless clients associated with the selected T5 controller and its connected CPE device radios. Use this information to assess if configuration changes are required to improve client performance. Use the additional filters available to view specific client-related information. The options are:

association-status Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 147 SHOW COMMANDS authentication-status bss retry-percentage rssi-value on <T5-DEVICE-

NAME>

Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}

t5 wireless wlan

[qos|rate|size]

Displays adopted T5 controller statistics Displays the T5 wireless WLAN related statistics wlan Displays following T5 controller traffic counter statistics:

qos T5 controller WLAN QoS utilization. Displays the number of background

(low priority) and best-effort packets received and transmitted on each listed T5 controller managed WLANs rates Displays T5 controller's WLAN utilization data rate statistics Lists the number of data packets received and transmitted in the WLAN that have been relegated to a 1 Mbps data rate Lists the number of data packets received and transmitted in the WLAN by T5 controller connected devices at 54Mbps size Displays the number of data packets received and transmitted, in each listed WLAN, greater than 1024 bytes on <T5-DEVICE-

NAME>

Optional. Executes the command on a specified T5 device

<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. Example The following examples are for show commands executed on the t5-ED7C6C controller adopted by the nx9500-6C8809 wireless controller:

nx9500-6C8809(config)#show t5 boot on t5-ED7C6C Primary Version: 5.4.2.0-010R Secondary Version: 5.4.2.0-006B Next Boot: Primary Upgrade Status: none Upgrade Progress %: 0 nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 version on t5-ED7C6C Bootloader Version: 5.4.2.0-010R Application Version: 5.4.2.0-010R nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 148 SHOW COMMANDS nx9500-6C8809(config)#show t5 system on t5-ED7C6C Serial Number 14213522400004 SKU TS-0524-WR Hardware Rev 5 Mac Address B4-C7-99-ED-7C-6C Description 24-port PowerBroadband VDSL2 Switch Version 5.4.2.0-010R Contact NULL Name t5-ED7C6C Location NULL nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 clock on t5-ED7C6C Time 6-6-2017 17:14:30 UTC nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 interface ge counter on t5-ED7C6C

--------------------------------------------------------------------------------

-----------------------------------

INTERFACE RECEIVE OCTETS RECEIVE PACKETS RECEIVE PAUSE PKTS TRANSMIT OCTETS TRANSMIT PACKETS TRANSMIT PAUSE PKTS

--------------------------------------------------------------------------------

-----------------------------------

ge1 711128918 89636040 0 2558110037 133720283 0 ge2 2515775064 133311355 0 3422167586 78735853 0

--------------------------------------------------------------------------------

-----------------------------------

nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 uptime on t5-ED7C6C Up Time 0 days 1 day, 3:19:43 nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 temperature on t5-ED7C6C

============ Temperature ============

--------------------------------------------------------------------

INDEX CURRENT (C) FANS @ FULL SPEED (C) FANS @ VARIABLE SPEED (C)

--------------------------------------------------------------------

1 39 70 60

--------------------------------------------------------------------

nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 cpe address on t5-ED7C6C

--------------------------------------------------------------------------------

DEVICE STATUS IP ADDRESS MAC ADDRESS

--------------------------------------------------------------------------------

cpe1 ready 192.168.13.32 00-C0-23-69-80-CD cpe2 ready 192.168.13.33 74-6F-F7-40-16-62 cpe3 disconnected 0.0.0.0 00-00-00-00-00-00 cpe4 disconnected 0.0.0.0 00-00-00-00-00-00 cpe5 disconnected 0.0.0.0 00-00-00-00-00-00

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 149 SHOW COMMANDS nx9500-6C8809(config)#show t5 cpe led on t5-ED7C6C

--------------------------------------------------------------------------------

-------

DEVICE LED STATUS

--------------------------------------------------------------------------------

---

cpe1 enable cpe2 enable cpe3 enable cpe4 enable cpe5 enable

--More--

nx9500-6C8809(config)#

nx9500-6C8809(config)#show t5 mac table filter name vlan 1 on t5-ED7C6C

--------------------------------------------------------------------------------

-------

T5-MAC VLAN ADDRESS INTERFACE VENDOR

--------------------------------------------------------------------------------

-------

B4-C7-99-ED-7C-6C 1 00-02-B3-28-D1-55 ge1 Intel Corp B4-C7-99-ED-7C-6C 1 00-1E-67-4B-BF-BD ge1 Intel Corp B4-C7-99-ED-7C-6C 1 00-23-68-11-E6-C4 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-23-68-88-0D-A7 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-23-68-99-BB-7C ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-A0-F8-68-D5-70 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-C0-23-69-80-CD dsl1 00-C0-23 B4-C7-99-ED-7C-6C 1 1C-7E-E5-18-FA-67 ge1 D-

Link Corp B4-C7-99-ED-7C-6C 1 3C-CE-73-F4-47-83 ge1 Cisco Systems B4-C7-99-ED-7C-6C 1 74-6F-F7-40-16-62 dsl2 Wistron Corp

--More--

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 150 SHOW COMMANDS 6.1.68 terminal show commands Displays terminal configuration parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show terminal Parameters None Example rfs6000-81742D(config)#show terminal Terminal Type: xterm Length: 24 Width: 200 rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 151 SHOW COMMANDS 6.1.69 timezone show commands Displays a devices timezone Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show timezone Parameters None Example rfs6000-81742D(config)#show timezone Timezone is America/Los_Angeles rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 152 SHOW COMMANDS 6.1.70 traffic-shape show commands Displays traffic-shaping related configuration details and statistics Traffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, ACL rules take precedence for the traffic shaping class. Using traffic shaping, an application takes precedence over an application category. Supported in the following platforms:

Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530 Syntax show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-

NAME>}

Parameters show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-

NAME>}

traffic-shape priority-map statistics class <1-4>

status on <DEVICE-NAME>

Displays traffic-shaping related configuration details and statistics Displays the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings. Displays traffic-shaping related statistics for all traffic shaper classes or for a selected class class <1-4> Optional. Specify the traffic class from 1 - 4. The system displays traffic shaping statistics for the selected class. If not selected, the system statistics for all classes. Displays the controller or service platforms traffic shaping status (whether running or not) Optional. Displays traffic-shaping related configuration details and statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 153 SHOW COMMANDS Example ap7532-DEB9B0#show traffic-shape priority-map

----------------------------------------

DOT1P-PRIORITY TX-SHAPER-PRIORITY

----------------------------------------

0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7

----------------------------------------

ap7532-DEB9B0#

ap7532-DEB9B0#show traffic-shape status State of Traffic shaper: running ap7532-DEB9B0#

ap7532-DEB9B0#show traffic-shape statistics Traffic shaper class : 1 Class 1 is not configured:

Traffic shaper class : 3 Class 3 is not configured:

Traffic shaper class : 2 Rate: 1500 Kbps

--------------------------------------------------------------------------------

-------

PRIORITY PKTS-SENT PKTS-DELAYED PKTS-DROPPED CURRENT-QUEUE-LEN CURRENT-

LATENCY(IN USECS)

--------------------------------------------------------------------------------

-------

1 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 2 152153035 151924251 1508343 11 33447 5 0 0 0 0 0 4 0 0 0 0 0 7 0 0 0 0 0 6 0 0 0 0 0

--------------------------------------------------------------------------------

-------

Traffic shaper class : 4 Class 4 is not configured:

ap7532-DEB9B0#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 154 SHOW COMMANDS 6.1.71 upgrade-status show commands Displays the last image upgrade status NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show upgrade-status {detail|on}

show upgrade-status {detail} {(on <DEVICE-NAME>)}

Parameters show upgrade-status {detail} {(on <DEVICE-NAME>)}

upgrade-status detail on <DEVICE-NAME>

Displays last image upgrade status and log Optional. Displays last image upgrade status in detail The following keyword is recursive and common to the detail parameter:

on <DEVICE-NAME> Optional. Displays last image upgrade status on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Note: If the on keyword is used without the detail keyword, the system displays a summary of upgrade status and log on the specified device. Example nx9500-6C8809#show upgrade-status Last Image Upgrade Status :In_Progress(17 percent completed) Last Image Upgrade Time : 2017-02-11 12:26:29 nx9500-6C8809#

nx9500-6C8809#show upgrade-status detail Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-06-02 14:22:51

-----------------------------------------------

Running from partition /dev/sda8 var2 is 1 percent full

/tmp is 4 percent full Free Memory 33357504 kB FWU invoked via Linux shell Validating image file header Removing other partition Tue May 30 10:43:36 IST 2017 debug: cmdline -C /boot/lilo.conf -R 5.9.0.0-028B -P fix LILO version 22.6-CCB, Copyright (C) 1992-1998 Werner Almesberger

--More--

nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 155 SHOW COMMANDS 6.1.72 version show commands Displays a devices software and hardware version Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show version {on <DEVICE-NAME>}

Parameters show version {on <DEVICE-NAME>}

version

{on <DEVICE-

NAME>}

Displays software and hardware versions on all devices or a specified device on <DEVICE-NAME> Optional. Displays software and hardware versions on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Example nx9500-6C8809#show version NX9500 version 5.9.0.0-029R Copyright (c) 2004-2017 Extreme Networks, Inc. All rights reserved. Booted from primary nx9500-6C8809 uptime is 3 days, 20 hours 49 minutes CPU is Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, No. of CPUs 24 Base ethernet MAC address is B4-C7-99-6C-88-09 System serial number is B4C7996C8809 Model number is NX-9500-100R0-WR nx9500-6C8809#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 156 SHOW COMMANDS 6.1.73 vrrp show commands Displays the following Virtual Router Redundancy Protocol (VRRP) related statistics: configuration error, router redundancy information in brief and detail. VRRP configuration errors include mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show vrrp [brief|details|error-stats|stats]

show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}

show vrrp error-stats {on <DEVICE-NAME>}

Parameters show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}

vrrp brief details stats

<1-255>

on <DEVICE-NAME>

Displays VRRP related statistics in brief or in detail depending on the option selected Displays virtual router information in brief Displays virtual router information in detail Displays virtual router statistics The following keyword is common to all of the above parameters:

<1-255> Optional. Displays information for a specified Virtual Router. Specify the router's ID from 1 - 255. The following keyword is recursive and common to the <1-255> parameter:

on <DEVICE-NAME> Optional. Displays specified router information on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. show vrrp error-stats {on <DEVICE-NAME>}

vrrp error-stats

{on <DEVICE-NAME>}

Displays VRRP related statistics in brief or in detail depending on the option selected Displays global error statistics on <DEVICE-NAME> Optional. Displays global error statistics on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-

form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 157 SHOW COMMANDS Example rfs6000-81742D(config)#show vrrp error-stats Last protocol error reason: none IP TTL errors: 0 Version mismatch: 0 Packet Length error: 0 Checksum error: 0 Invalid virtual router id: 0 Authentication mismatch: 0 Invalid packet type: 0 rfs6000-81742D(config)#

rfs6000-81742D(config)#show vrrp details VRRP Group 1:

version 2 interface none configured priority 1 advertisement interval 1 sec preempt enable, preempt-delay 0 virtual mac address 00-00-5E-00-01-01 sync group disable rfs6000-81742D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 158 SHOW COMMANDS 6.1.74 web-filter show commands Displays Web filtering related information Use this command to view information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. Supported in the following platforms:

Access Points AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show web-filter [category|category-type|config|filter-level [basic|high|low|

medium|medium-high]|statistics {on <DEVICE-NAME>}|status]

Parameters web-filter category category-type config filter-level [basic|

high|low|medium|

medium-high]

show web-filter [category|category-type|config|filter-level [basic|high|low|

medium|medium-high]|statistics {on <DEVICE-NAME>}|status]

Displays an existing and configured Web filter details Displays Web filter categories. A category is a pre-defined URL list available in the WiNG software. Displays the Web filter category types. This is a pre-configured list of categories and sub-categories in to which commonly accessed URLs have been classified. Displays all existing Web filters and their configuration details Displays category types for the selected filter-level. Each filter level is pre-configured to use a set of category types. You cannot change the categories in the category types used for these pre-configured filter-level setting. Nor can you add, modify, or remove the category types mapped to a filter-level setting.The options are:

basic Displays all category types configured for the basic filter-level high Displays all category types configured for the high filter-level low Displays all category types configured for the low filter-level medium Displays all category types configured for the medium filter-level medium-high Displays all category types configured for the medium-high filter-

level statistics

{on <DEVICE-NAME>}

Displays Web filter statistics on a specified device on <DEVICE-NAME> Optional. Specifies the device name

<DEVICE-NAME> Specify the name of the AP, controller, or service platform. Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering statistics. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 159 SHOW COMMANDS status

{on <DEVICE-NAME>}

Displays Web filter status on a specified device on <DEVICE-NAME> Optional. Specifies the device name

<DEVICE-NAME> Specify the name of the AP, controller, or service platform. Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering status. Example nx9500-6C8809(config)#show web-filter category advertisement-popups Sites that provide advertising graphics or other ad content files such as banners and pop-ups. alcohol-tobacco Sites that promote or sell alcohol- or tobacco-related products or services. anonymizers Sites and proxies that act as an intermediary for surfing to other websites in an anonymous fashion, whether to circumvent web filtering or for other reasons. arts Sites with artistic content or relating to artistic institutions such as theaters, museums, galleries, dance companies, photography, and digital graphic resources. botnets Sites that use bots (zombies) including command-and-control sites.

--More--

nx9500-6C8809(config)#

nx9500-6C8809(config)#show web-filter config URL filters configured for this device are:

WebFilter_ShoppingSites Blacklisted categories:

shopping, Whitelisted categories:

<AllowedShopping>, nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 160 SHOW COMMANDS 6.1.75 what show commands Displays details of a specified search phrase (performs global search) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}

contain <WORD>

is <WORD>

on <DEVICE-OR-

DOMAIN-NAME>

Searches on all the items that contain a specified word

<WORD> Specify a word to search (for example, MAC address, hostname, etc.). Searches on an exact match

<WORD> Specify a word to search (for example, MAC address, hostname, etc.). Optional. Performs global search on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58#show what contain default

--------------------------------------------------------------------------------

--------------------------------------------------------------------

NO. CATEGORY MATCHED OTHER KEY INFO (1) OTHER KEY INFO (2) OTHER KEY INFO (3) NAME/VALUE NAME/VALUE NAME/

VALUE NAME/VALUE

--------------------------------------------------------------------------------

--------------------------------------------------------------------

https-trustpoint type mac rf_domain_name 1 device-cfg default-trustpoint rfs4000 00-

23-68-22-9D-58 default __obj_name__ name 2 firewall_policy default default __obj_name__ name https idle_session_timeout 3 management_policy default default True 30 qos_policy name control_vlan beacon_format

--More--

rfs4000-229D58#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 161 SHOW COMMANDS 6.1.76 wireless show commands Displays wireless configuration parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show wireless [ap|bridge|client|coverage-hole-incidents|meshpoint|mint|mobility-

database|radio|regulatory|rf-domain|sensor-server|unsanctioned|wips|wlan]

show wireless ap {configured|detail|load-balancing|on <DEVICE-NAME>}

show wireless ap {configured}

show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless ap {load-balancing} {client-capability|events|neighbors} {(on

<DEVICE-NAME>)}

show wireless bridge {candidate-ap|certificate|config|hosts|on|statistics}

show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac

<RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless bridge {certificate} status {on <DEVICE-NAME>}

show wireless bridge {config}

show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless client {association-history|detail|filter|include-ipv6|on <DEVICE-

OR-DOMAIN-NAME>|statistics|tspec}

show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless client {filter [ip|on|state|wlan]}

show wireless client {filter} {ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless client {filter} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless client {filter} {state [data-ready|not [data-ready|roaming]|

roaming]} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-

DOMAIN-NAME>}

show wireless client {include-ipv6} {detail|on|filter}

show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}

show wireless client {statistics} {detail|on|rf|window-data}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 162 SHOW COMMANDS show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on

<DEVICE-OR-DOMAIN-NAME>)}

show wireless client {tspec <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless coverage-hole-incidents [detail|on|summary]

show wireless coverage-hole-incidents detail {filter [ap <MAC/HOSTNAME>|client-mac

<MAC>]|summary} {(on <DOMAIN-NAME>)}]

show wireless meshpoint {config|detail|multicast|neighbor|on|path|proxy|root|

security|statistics|tree|usage-mappings}

show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-

NAME>]}

show wireless meshpoint {detail} {<MESHPOINT-NAME>}

show wireless meshpoint {on <DEVICE-OR-DOMAIN-NAME>}

show wireless meshpoint {multicast|path|proxy|root|security|statistics}

[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}

show wireless meshpoint neighbor [<MESHPOINT-NAME>|detail|statistics {rf}] {on

<DEVICE-OR-DOMAIN-NAME>}

show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless meshpoint {usage-mappings}

show wireless mobility-database {on <DEVICE-NAME>}

show wireless mint [client|detail|links|portal]

show wireless [client|detail] {on|portal-candidates {<DEVICE-NAME>|filter <RADIO-

MAC>}|statistics} (<DEVICE-OR-DOMAIN-NAME>) show wireless mint links {on <DEVICE-OR-DOMAIN-NAME>}

show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

show wireless radio {detail|on <DEVICE-OR-DOMAIN-NAME>|statistics|tspec|wlan-map}

show wireless radio {detail} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>}

show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}

show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless radio {statistics} {detail|on|rf|windows-data}

show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-

DOMAIN-NAME>}}

show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-

3>|filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-

NAME>|option}

show wireless radio {wlan-map} {on <DEVICE-OR-DOMAIN-NAME>}

show wireless regulatory [channel-info <WORD>|country-code <WORD>|device-type]

show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|ap7161|

ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap8132|

ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>

show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 163 SHOW COMMANDS show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}

show wireless unsanctioned aps {detail|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}

show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}

show wireless wlan {config|detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-

mappings|statistics|usage-mappings}

show wireless wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-

mappings|usage-mappings}

show wireless {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}

show wireless wlan statistics {<WLAN>|detail|traffic} {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show wireless ap {configured}

wireless ap configured Displays wireless configuration parameters Displays managed access point information Optional. Displays configured AP information, such as name, MAC address, profile, RF Domain, and adoption status show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless ap detail

<MAC/HOST-NAME>

Displays wireless configuration parameters Displays managed access point information Optional. Displays detailed information for all APs or a specified AP

<MAC/HOST-NAME> Optional. Displays information for a specified AP. Specify the APs MAC address. on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is recursive and common to the detail <MAC/HOST-

NAME> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays information on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless ap {load-balancing} {client-capability|events|neighbors} {(on

<DEVICE-NAME)}

wireless ap load-balancing

{client-capability|

events|neighbors}

on <DEVICE-NAME>

Displays wireless configuration parameters Displays managed access point information Optional. Displays load balancing status. Use additional filters to view specific details. client-capability Optional. Displays client band capability events Optional. Displays client events neighbors Optional. Displays neighboring clients The following keyword is recursive and common to the client-capability, events, and neighbors parameters:

on <DEVICE-NAME> Optional. Displays load balancing information, based on the parameters passed, on a specified device

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 164 SHOW COMMANDS show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac

<RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless bridge candidate-ap

<MAC/HOSTNAME>

<1-3>

filter radio-mac <RADIO-

MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration statistics Optional. Displays information about the candidate infrastructure access points as well as the infrastructure access point that the client-bridge radio has selected Note: When enabled, the client-bridge radio scans its defined channels to locate the best candidate access point servicing the infrastructure WLAN. Optional. Specify the client-bridge access points hostname or MAC address. Optionally append the radio interfaces number to form client-bridge in the form of AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX.

<1-3> Optional. Radio interface index if not specified as part of mesh ID. This is a recursive parameter and common to all of the above options. filter radio-mac Optional. Provides additional filters to specifically identify the radio by its MAC address

<RADIO-MAC> Specify the radios MAC address. This is a recursive parameter and common to all of the above options. on <DEVICE-OR-DOMAIN-NAME> Optional. Executes the command on a specified device or devices within a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the AP, controller, service platform, or RF Domain name. show wireless bridge {certificate} status {on <DEVICE-NAME>}

wireless bridge certificate status Optional. Displays all client bridges in configuration and the status of their Displays wireless configuration statistics on <DEVICE-NAME>

PKCS#12 certificates Optional. Executes the command on a specified device

<DEVICE-NAME> Specify the AP, controller, service platform name. show wireless bridge {config}

wireless bridge config Displays wireless configuration statistics Optional. Displays all client bridges in configuration The output displays the configured client-bridges hostname, MAC address, profile, RF Domain, SSID, band, encryption, authentication, and EAP username. show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}

wireless bridge hosts Displays wireless configuration statistics Optional. Displays the client bridge host information The output displays the configured client-bridges hosts MAC Address, bridge MAC address, IPv4 address, bridging status, and activity Note: The HOST MAC column displays real MAC addresses of wired hosts, while the BRIDGE MAC column displays the translated MAC addresses. The BRIDGE MAC column is based on the radio 2 base MAC address and increments by 1 for each wired host connected to the client bridges Ge1 port. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 165 SHOW COMMANDS on <DEVICE-OR-

DOMAIN-NAME>

Optional. Executes the command on a specified device or devices within a specified RF Domain

<DEVICE-OR-DOMAIN-NAME> Optional. Specify the AP, controller, service platform, or Domain name. show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless bridge statistics rf traffic on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration statistics Optional. Displays the client-bridge related statistics Optional. Displays the client-bridge related RF statistics The output displays the signal, noise, SNR, TX/RX rates, retries, and errors. Optional. Displays the client-bridge related traffic statistics The output displays TX/RX bytes, TX/RX packets, TX/RX bits/second, and dropped packets. Optional. Executes the command on a specified device or devices within a specified RF Domain on <DEVICE-OR-DOMAIN-NAME> Optional. Specify the AP, controller, service platform, or Domain name. show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}

wireless client association-history

<MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays association history for a specified client

<MAC> Specify the MAC address of the client. Optional. Displays association history on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless client detail <MAC>

Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays detailed wireless client(s) information

<MAC> Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client. on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is recursive and common to the detail <MAC> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed information on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {filter ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}

wireless client Displays wireless configuration parameters Displays client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 166 SHOW COMMANDS filter IP

[<IP>|not <IP>]

on <DEVICE-OR-

DOMAIN-NAME>

Optional. Uses IP addresses to filter wireless clients

<IP> Selects clients with IP address matching the <IP> parameter not <IP> Inverts the match selection The following keyword is common to the IP and not IP parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays selected wireless client information on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless client {filter} {state [data-ready|not [data-ready|roaming]|

roaming]} {on <DEVICE-OR-DOMAIN-NAME>}

wireless client filter state

[data-ready|

not [data-ready|

roaming]|

roaming]

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Filters clients based on their state data-ready Selects wireless clients in the data-ready state not [data-ready|roaming] Inverts match selection. Selects wireless clients neither ready nor roaming Roaming Selects roaming clients The following keyword is common to the ready, not, and roaming parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays selected client details on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-

OR-DOMAIN-NAME>}

wireless client filter wlan

[<WLAN-NAME>|

not <WLAN-NAME>]

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Filters clients on a specified WLAN

<WLAN-NAME> Specify the WLAN name. not <WLAN-NAME> Inverts the match selection The following keyword is common to the WLAN and not parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Filters clients on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on

<DEVICE-OR-DOMAIN-NAME>)}

wireless client Displays wireless configuration parameters Displays client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 167 SHOW COMMANDS statistics

{detail <MAC>|rf|

window-data <MAC>}

on <DEVICE-OR-

DOMAIN-NAME>

Optional. Displays detailed client statistics. Use additional filters to view specific details. detail <MAC> Optional. Displays detailed client statistics

<MAC> Optional. Displays detailed statistics for a specified client. Specify the clients MAC address. rf Optional. Displays detailed client statistics on a specified device or RF Domain window-data <MAC> Optional. Displays historical data, for a specified client

<MAC> Optional. Specify the clients MAC address The following keyword is recursive and common to the detail <MAC>, RF, and window-data <MAC> parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays client statistics, based on the parameters passed, on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {tspec} {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless client tspec <MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays detailed traffic specification (TSPEC) information for all clients or a specified client

<MAC> Optional. Displays detailed TSPEC information for a specified client. Specify the MAC address of the client. The following keyword is recursive and common to the tspec <MAC> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed TSPEC information for wireless clients on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-

NAME>)}

wireless client include-ipv6 detail <MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays client information based on the parameters passed Includes IPv6 address (if known) of wireless clients Optional. Displays detailed wireless client(s) information

<MAC> Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client. The following keyword is recursive and common to the detail <MAC> parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed information on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}

wireless client Displays wireless configuration parameters Displays wireless client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 168 SHOW COMMANDS include-ipv6 {filter}

Optional. Includes IPv6 address (if known) of wireless clients filter Optional. Defines additional filters. Use one of the following options to filter clients: ip, ipv6, state, and wlan ip [<IPv4>|not <IPv4>]

ipv6 [<IPv6>|

not <Pv6>]

filter state [data-ready|

not [data-ready|

roaming]|roaming]

wlan [<WLAN-NAME>|

not <WLAN-NAME>]

By default the system only displays the IPv4 address of clients. The include-ipv6 parameter includes the known IPv6 address of each client. Optional. Displays wireless client information based on the IPv4 address passed

<IPv4> Displays information of the client identified by the <IPv4> parameter not <IPv4> Inverts the match selection Optional. Displays wireless client information based on the IPv6 address passed

<IPv6> Displays information of the client identified by the <IPv6> parameter not <IPv6> Inverts the match selection Optional. Filters wireless client information based on their state data-ready Displays information of wireless clients in the data-ready state not [data-ready|roaming] Inverts match selection. Displays information of wireless clients neither ready nor roaming Roaming Displays information of roaming clients Optional. Displays wireless client information based on the WLAN name passed

<WLAN-NAME> Specify the WLAN name. not <WLAN-NAME> Inverts match selection show wireless coverage-hole-incidents {detail} {filter [ap <MAC/HOSTNAME>|

client-mac <MAC>]|summary} {(on <DOMAIN-NAME>)}

wireless coverage-hole-incidents detail filters

[ap <MAC/HOSTNAME>|

client-mac <MAC>]

summary on <DOMAIN-NAME>

Displays wireless configuration parameters. Use this option to view coverage-hole related incidents encountered by wireless clients and reported to associated access points. Displays coverage-hole related statistics Optional. Displays detailed coverage-hole related statistics filters Optional. Displays detailed coverage-hole related statistics on a per access point or wireless-client basis ap <MAC/HOSTNAME> Displays detailed coverage-hole related statistics for a specified access point

<MAC/HOSTNAME> Specify the access points device name or MAC ad-

dress. client-mac <MAC> Displays detailed coverage-hole related statistics encoun-

tered by a specified wireless client

<MAC> Specify the wireless clients MAC address Note: If the command is executed without any parameters being included, the system displays all coverage-hole related statistics. Optional. Displays a summary of coverage-hole related statistics This parameter is recursive and is common to the detail and summary keywords:

on <DOMAIN-NAME> Optional. Displays detailed or summary coverage-hole related statistics on a specified RF Domain

<DOMAIN-NAME> Specify the domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 169 SHOW COMMANDS show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain

<DOMAIN-NAME>]}

wireless meshpoint config filters

[device <DEVICE-

NAME>|rf-domain

<DOMAIN-NAME>]

Displays wireless configuration parameters. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Displays meshpoint related information Optional. Displays all meshpoint configuration Optional. Provides additional filter options, such as device name and RF Domain name. device <DEVICE-NAME> Displays meshpoints applied to a specified device

<DEVICE-NAME> Specify the device name. rf-domain <DOMAIN-NAME> Displays meshpoints applied to a specified RF Domain

<DOMAIN-NAME> Specify the domain name. show wireless meshpoint {detail} {<MESHPOINT-NAME>}

wireless meshpoint detail

<MESHPOINT-NAME>

Displays wireless configuration parameters Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays detailed information for all meshpoints or a specified meshpoint

<MESHPOINT-NAME> Optional. Displays detailed information for a specified meshpoint. Specify the meshpoint name. show wireless meshpoint {multicast|path|proxy|root|security|statistics}

[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}

wireless Displays wireless configuration parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 170 SHOW COMMANDS meshpoint multicast path proxy root security statistics

[<MESHPOINT-NAME>|

detail]

on <DEVICE-OR-

DOMAIN-NAME>

Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays meshpoint multicast information Optional. Displays meshpoint path information Optional. Displays meshpoint proxy information Optional. Displays meshpoint root information Optional. Displays meshpoint security information Optional. Displays meshpoint statistics The following keywords are common to all of the above parameters:

<MESHPOINT-NAME> Displays meshpoint related information for a specified meshpoint. Specify the meshpoint name. detail Displays detailed multicast information for all meshpoints The following keyword is common to all of the above parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed multicast information on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless meshpoint {neighbor} [<MESHPOINT-NAME>|detail|statistics {rf}]

{on <DEVICE-OR-DOMAIN-NAME>}

wireless meshpoint neighbor

[<MESHPOINT-

NAME>|detail|

statistics {rf}]

Displays wireless configuration parameters Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays meshpoint neighbor information, based on the parameters passed Select one of the following parameter to view neighbor related information

<MESHPOINT-NAME> Displays detailed multicast information for a specified meshpoint. Specify the meshpoint name. detail Displays detailed multicast information for all meshpoints statistics Displays neighbors related statistics rf Optional. Displays RF related statistics for neighbors Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 171 SHOW COMMANDS on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is common to all of the above parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays meshpoint neighbor information, based on the parameters passed, on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}

wireless meshpoint tree on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays meshpoint related information Note: The show > wireless > meshpoint > tree command can be executed only from a wireless controller. Optional. Displays meshpoint network tree Optional. Displays meshpoint network tree on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of AP, wireless controller, service platform, or RF Domain show wireless meshpoint {usage-mappings|on <DEVICE-OR-DOMAIN-NAME>}

wireless meshpoint usage-mappings on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays meshpoint related information Optional. Lists all devices and profiles using the meshpoint Optional. Displays meshpoint applied to a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of AP, wireless controller,service platform, or RF Domain show wireless mobility-database {on <DEVICE-NAME>}

wireless mobility-database on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays controller-assisted mobility database The following keyword is recursive and common to the filter <RADIO-MAC>

parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless mint [client|detail] {portal-candidates {<DEVICE-NAME>|filter

<RADIO-MAC>}|statistics} (on <DEVICE-OR-DOMAIN-NAME>) wireless mint

[client|detail]

portal-candidates Displays radio MiNT-mesh related statistics client Displays MiNT-mesh client related information. Use the client option to view detailed statistics on each Mesh capable client available within the selected access points radio coverage area. detail Displays detailed MiNT-mesh related information Displays detailed information about portal candidates for a MiNT-mesh. Mesh points connected to an external network and forwarding traffic in and out are Mesh portals. Mesh points must find paths to a portal to access the Internet. When multiple portals exist, the mesh point must select one. Use the additional filter option to view specific portal candidate details. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 172 SHOW COMMANDS statistics on <DEVICE-OR-

DOMAIN-NAME>

This option is common to the client and detail keyword. Displays MiNT-mesh client statistical data This option is common to the client and detail keyword. Displays MiNT-mesh client related information on a specific device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. how wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

wireless mint links on <DEVICE-OR-

DOMAIN-NAME>

Displays radio MiNT-mesh related statistics Displays MiNT-mesh links related information. MiNT Links are automatically created between controllers and access points during adoption using MLCP

(MiNT Link Creation Protocol). They can also be manually created between a controller and access point (or) between access points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other access points. Level 2 MiNT links also provide partitioning, between access points deployed at various remote sites. Displays MiNT-mesh links on a specific device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}

wireless mint portal on <DEVICE-OR-

DOMAIN-NAME>

Displays radio MiNT-mesh related statistics Displays legacy client on MiNT-mesh portal Displays legacy client on MiNT-mesh portal on a specific device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}

wireless radio detail

<DEVICE-NAME>

Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:

2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays detailed radio operation status Optional. Displays detailed information for a specified radio. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 173 SHOW COMMANDS

<1-3>

filter <RADIO-MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Optional. Specify the radio interface index from 1 - 3 (if not specified as part of the radio ID) Optional. Provides additional filters

<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless radio detail filter

<RADIO-MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:

2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays detailed radio operation status Optional. Provides additional filter options

<RADIO-MAC> Uses MAC address to filter radios The following keyword is recursive and common to the filter <RADIO-MAC>

parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-

DOMAIN-NAME>}}

wireless radio statistics Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:

2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays radio traffic and RF statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 174 SHOW COMMANDS on <DEVICE-OR-

DOMAIN-NAME>

Optional. Displays traffic and RF related statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. rf {on <DEVICE-OR-

DOMAIN-NAME>}

Optional. Displays RF statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|

filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless radio statistics

{detail|window-data}

<DEVICE-NAME>

<1-3>

filter <RADIO-MAC>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:

2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays radio traffic and RF statistics. Use additional filters to view specific details. The options are: are:

detail Displays detailed traffic and RF statistics of all radios window-data Displays historical data over a time window The following keywords are common to the detail and window-data parameters:

<DEVICE-NAME> Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Optional. Specify the radio interface index from 1- 3, if not specified as part of the radio ID using the preceding parameter. Optional. Provides additional filters

<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|

option}

wireless Displays wireless configuration parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 175 SHOW COMMANDS radio tspec

<DEVICE-NAME>

filter on <DEVICE-OR-

DOMAIN-NAME>

Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:

2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional.Displays TSPEC information on a radio Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Optional. Provides additional filters

<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless regulatory [channel-info <WORD>|county-code <WORD>]

wireless regulatory channel-info <WORD>

country-code <WORD>

Displays wireless configuration parameters Displays wireless regulatory information Displays channel information

<WORD> Specify the channel number. Displays country code to country name information

<WORD> Specify the two letter ISO-3166 country code. wireless regulatory device-type <DEVICE-

TYPE> <WORD>

show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|

ap7161|ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|

ap8132|ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>

Displays wireless configuration parameters Displays wireless regulatory information Displays wireless regulatory information based on the device type selected. Select the device type. The options are:

AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8132, AP8163, AP8232, AP8432, AP8533 and RFS4000. After specifying the device type, specify the country code.

<WORD> Specify the two letter ISO-3166 country code. show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless rf-domain statistics details Displays wireless configuration parameters Displays RF Domain statistics Optional. Displays detailed RF Domain statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 176 SHOW COMMANDS on <DEVICE-OR-

DOMAIN-NAME>

The following keyword is recursive and common to the detail parameter:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays RF Domain statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}

wireless sensor- server

{on <DEVICE-OR-

DOMAIN-NAME>}

Displays wireless configuration parameters Displays AirDefense sensor server configuration details on <DEVICE-OR-DOMAIN-NAME> Optional. Displays AirDefense sensor server configuration on a specified device or RF Domain show wireless unsanctioned aps {detailed|statistics} {(on <DEVICE-OR-DOMAIN-

NAME>)}

wireless unsanctioned aps detailed statistics on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays unauthorized APs. Use additional filters to view specific details. Optional. Displays detailed unauthorized APs information Optional. Displays channel statistics The following keyword is common to the detailed and statistics parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of the AP, wireless controller, service platform, or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}

wireless wips [client-

blacklist|event-history]

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays the WIPS details client-blacklist Displays blacklisted clients event-history Displays event history The following keyword is common to the client-blacklist and event-history parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays the WIPS details on a specified device or RF Domain.

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. show wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-

mappings}

wireless wlan detail <WLAN>

on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Displays WLAN configuration

<WLAN> Specify the WLAN name. Optional. Displays WLAN configuration on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 177 SHOW COMMANDS policy-mappings usage-mappings Optional. Displays WLAN policy mappings Optional. Lists all devices and profiles using the WLAN show wlan {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}

wireless wlan config filter device <DEVICE-NAME> Optional. Filters WLAN information based on the device name Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Filters WLAN information based on the device name or RF Domain rf-domain

<DOMAIN-NAME>

<DEVICE-NAME> Specify the device name. Optional. Filters WLAN information based on the RF Domain

<DOMAIN-NAME> Specify the RF Domain name. show wlan {statistics {<WLAN>|detail} {(on <DEVICE-OR-DOMAIN-NAME>)}

wireless wlan statistics

{<WLAN>|detail}

on <DEVICE-OR-

DOMAIN-NAME>

Usage Guidelines Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Displays WLAN statistics. Use additional filters to view specific details

<WLAN> Optional. Displays WLAN statistics. Specify the WLAN name. detail Optional. Displays detailed WLAN statistics The following keyword is common to the WLAN and detail parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays WLAN statistics on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-

ler, service platform, or RF Domain. The customize command enables you to customize the show > wireless command output. rfs6000-81742D(config)#customize ?

cdp-lldp-info-column-width Customize cdp-lldp-info column width hostname-column-width Customize hostname column width show-adoption-offline Customize the output of (show adoption offline) command show-adoption-status Customize the output of (show adoption status) command show-wireless-bridge Customize the output of (show wireless bridge) command show-wireless-bridge-hosts Customize the output of (show wireless bridge hosts) command show-wireless-bridge-stats Customize the output of (show wireless bridge stats) command show-wireless-bridge-stats-rf Customize the output of (show wireless bridge stats rf) command show-wireless-bridge-stats-traffic Customize the output of (show wireless bridge stats) command show-wireless-client Customize the output of (show wireless client) command show-wireless-client-stats Customize the output of (show wireless client stats) command show-wireless-client-stats-rf Customize the output of (show Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 178 SHOW COMMANDS wireless client stats rf) show-wireless-legacy-mesh-client-stats Customize the output of (show wireless mint client stats) command show-wireless-meshpoint Customize the output of (show wireless meshpoint) command show-wireless-meshpoint-accelerated-multicast Customize the output of (show wireless meshpoint accelerated-multicast) command show-wireless-meshpoint-neighbor-stats Customize the output of (show wireless meshpoint neighbor stats) command show-wireless-meshpoint-neighbor-stats-rf Customize the output of (show wireless meshpoint neighbor stats rf) command show-wireless-mint-client Customize the output of (show wireless mint client) show-wireless-mint-client-stats Customize the output of (show wireless mint client stats) command show-wireless-mint-client-stats-rf Customize the output of (show wireless mint client stats rf) command show-wireless-mint-portal Customize the output of (show wireless mint portal) show-wireless-mint-portal-stats Customize the output of (show wireless mint portal stats) command show-wireless-mint-portal-stats-rf Customize the output of (show wireless mint portal stats rf) command show-wireless-radio Customize the output of (show wireless radio) command show-wireless-radio-stats Customize the output of (show wireless radio stats) command show-wireless-radio-stats-rf Customize the output of (show wireless radio stats rf) command rfs6000-81742D(config)#

The default setting for the show > wireless > client command is as follows:

rfs6000-81742D(config)#show wireless client

--------------------------------------------------------------------------------

-------

MAC IPv4 VENDOR RADIO-ID WLAN VLAN STATE

--------------------------------------------------------------------------------

-------

--------------------------------------------------------------------------------

-------

Total number of wireless clients displayed: 0 rfs6000-81742D(config)#

The above output can be customized, using the customize > show-wireless-client command, as follows:

rfs6000-81742D(config)#customize show-wireless-client mac ip vendor vlan radio-id state wlan location radio-alias radio-type rfs6000-81742D(config)#commit rfs6000-81742D(config)#show wireless client

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--

MAC IP VENDOR VLAN RADIO-ID STATE WLAN AP-LOCATION RADIO RADIO-TYPE

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 179 Example SHOW COMMANDS

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

--

Total number of wireless clients displayed: 0 rfs6000-81742D(config)#

nx9500-6C8809(config)#show wireless wlan config

--------------------------------------------------------------------------------

NAME ENABLE SSID ENCRYPTION AUTHENTICATION VLAN BRIDGING MODE

--------------------------------------------------------------------------------

test Y test wep64 none 1 local

--------------------------------------------------------------------------------

nx9500-6C8809(config)#

nx9500-6C8809(config)#show wireless wips client-blacklist No wireless clients blacklisted nx9500-6C8809(config)#

rfs6000-81742D#show wireless regulatory channel-info 36 Center frequency for channel 36 is 5180MHz rfs6000-81742D#

nx9500-6C8809(config)#show wireless regulatory country-code

--------------------------------------------------------------------------------

ISO CODE NAME

--------------------------------------------------------------------------------

gt Guatemala co Colombia cn China cm Cameroon cl Chile

--More--

nx9500-6C8809(config)#

nx9500-6C8809(config)#show wireless regulatory device-type ap7502 us

--------------------------------------------------------------------------------

--------------------

# Channel Set Power(mW) Power (dBm) Placement DFS CAC(mins) TPC

--------------------------------------------------------------------------------

--------------------

1 1-11 4000 36 Indoor/Outdoor NA NA NA 2 36-48 4000 36 Indoor/Outdoor Not Required 0 Not Required 3 52-64 500 27 Indoor/Outdoor Required 1 Not Required 4 52-64 1000 30 Indoor/Outdoor Required 1 Required 5 100-140 500 27 Indoor/Outdoor Required 1 Not Required 6 100-140 1000 30 Indoor/Outdoor Required 1 Required 7 149-165 4000 36 Indoor/Outdoor Not Required 0 Not Required

--------------------------------------------------------------------------------

--------------------

nx9500-6C8809(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 180 SHOW COMMANDS rfs6000-81742D#show wire ap detail AP: 84-24-8D-84-A2-24 AP Name : ap7562-84A224 Location : Bangalore RF-Domain : TechPubs Type : ap7562 Model : AP-7562-67040-US IP : 192.168.13.29 IPv6 : ::

Num of radios : 2 Num of clients : 0 Last Smart-RF time : not done Stats update mode : auto Stats interval : 30 Radio Modes :

radio-1 : wlan radio-2 : wlan Country-code : not-set Site-Survivable : True Last error : in [India] not supported on hardware model AP-7562-67040-US Fault Detected : False Power management information for ap7562:

--More--

rfs6000-81742D#

nx9500-6C8809#show wireless ap load-balancing on rfs6000-81742D Column Name Reference:

Ap-Ld : Load of the AP as reported by it. Avg-Ld : Average AP load in the AP's neighborhood. 2.4g-Ld : 2.4GHz band load in the AP's neighborhood. 5g-Ld : 5GHz band load in the AP's neighborhood. Ap-2.4g-Ch-Ld : Load in the AP's 2.4GHz channel in its neighborhood. Avg-2.4g-Ch-Ld : Average load of a 2.4GHz channel in AP's neighborhood. Ap-5g-Ch-Ld : Load in the AP's 5GHz channel in its neighborhood. Avg-5g-Ch-Ld : Average load of a 5GHz channel in AP's neighborhood. Allow-2.4g-Req : AP responds to client requests on 2.4ghz radio Allow-5g-Req : AP responds to client requests on 5ghz radio

--------------------------------------------------------------------------------

------------------------------------------------

No. Ap-Name Ap- Avg- 2.4g- 5g- Band Cfgd- Ap-

Ap- Avg- Avg- Allow Allow Load Load Load Load Ratio Band 2.4g-

5g- 2.4g- 5g- 2.4g- 5g-

Ratio Ch-

Ld Ch-Ld Ch-Ld Ch-Ld Req Req

--------------------------------------------------------------------------------

------------------------------------------------

1 rfs6000-81742D 0% 0% 0% 0% 0:0 0:1 182%

240% 0% 70% yes yes

--------------------------------------------------------------------------------

------------------------------------------------

nx9500-6C8809#

nx9600-7F5124#show wireless meshpoint tree on PTP-AP In progress ....... 1:PTP-Radio2 [7 MPs(2 roots, 5 bound)]

|-ap7562-84A484-ROOT1

| |-ap7562-84A2CC-VMM

| |-ap7532-80C28C-NR

| |-ap7532-82CCA4-NR

| |-ap7562-84A22C-NR2

| |-ap7532-160114

|-ap7562-84A280-ROOT2 Total number of meshes displayed: 1 nx9600-7F5124#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 181 SHOW COMMANDS ap6532-000001#show wireless meshpoint multicast detail Multicast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]

--------------------------------------------------------------------------------

Group-Addr Subscriber Name Subscriber MPID Timeout (mSecs)

--------------------------------------------------------------------------------

01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 N/A

--------------------------------------------------------------------------------

Total number of meshpoint displayed: 1 ap6532-000001#

ap6532-000001#show wireless meshpoint neighbor detail Neighbors @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]

--------------------------------------------------------------------------------

---------------------------------------------------------------------------

Neighbor Name Neighbor MPID.IFID Root Name Root MPID RMet Hops Type Interface Auth-State Resourced Rank LQ% LMet Age

--------------------------------------------------------------------------------

---------------------------------------------------------------------------

5C-0E-8B-21-76-22.5C-0E-8B-21-74-40 00-23-68-2E-97-60 115 1 Fixed 00-23-68-00-00-01:R2 Enabled Yes 0 97 87 20 00-23-68-30-F7-82.00-23-68-30-F8-F0 00-23-68-2E-97-60 99 1 Fixed 00-23-68-00-00-01:R2 Init Yes 0 97 86 30 00-23-68-30-F7-82.00-23-68-30-F7-82 00-23-68-2E-97-60 99 1 Fixed 00-23-68-00-00-01:R1 Enabled Yes 0 96 94 0 5C-0E-8B-21-76-22.5C-0E-8B-21-76-22 00-23-68-2E-97-60 115 1 Fixed 00-23-68-00-00-01:R1 Enabled Yes 0 96 93 30 00-23-68-2E-AB-50.00-23-68-2E-AB-50 00-23-68-2E-AB-50 0 0 Root 00-23-68-00-00-01:R2 Enabled Yes 7 96 87 40 00-23-68-2E-97-60.00-23-68-2E-97-60 00-23-68-2E-97-60 0 0 Root 00-23-68-00-00-01:R2 Enabled Yes 8 94 90 10

--------------------------------------------------------------------------------

---------------------------------------------------------------------------

Total number of meshpoint displayed: 1 ap6532-000001#

ap6532-000001#show wireless meshpoint proxy detail Proxies @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]

--------------------------------------------------------------------------------

Destination Addr Owner Name Owner MPID Persist VLAN Age

--------------------------------------------------------------------------------

00-23-68-00-00-01 ap6532-000001 00-23-68-2E-64-B2 Permanent 101 180654310 00-1E-E5-A6-66-E2 ap6532-000001 00-23-68-2E-64-B2 Untimed 103 231920

--------------------------------------------------------------------------------

Total number of meshpoint displayed: 1 ap6532-000001#

ap6532-000001#show wireless meshpoint multicast mesh1 Multicast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]

--------------------------------------------------------------------------------

Group-Addr Subscriber Name Subscriber MPID Timeout (mSecs)

--------------------------------------------------------------------------------

01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 -1

--------------------------------------------------------------------------------

Total number of meshpoint displayed: 1 ap6532-000001#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 182 SHOW COMMANDS ap6532-000001#show wireless meshpoint path detail Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]

--------------------------------------------------------------------------------

-----------------------------------------------------------------

Destination Name Destination Addr Next Hop Name Next Hop IFID State Hops Type Binding Metric Timeout Path-Timeout Sequence MiNT ID

--------------------------------------------------------------------------------

-----------------------------------------------------------------

00-23-68-2E-AB-50 00-23-68-2E-AB-50 Valid 1 Root Bound 89 8730 0 23847 68.31.19.58 00-23-68-2E-97-60 00-23-68-2E-97-60 Valid 1 Root Unbound 92 5200 0 3481 68.31.1A.80

--------------------------------------------------------------------------------

-----------------------------------------------------------------

ap6532-000001#

rfs4000-22A24E#show wireless client

--------------------------------------------------------------------------------

---------------------------------

Report start on RF-Domain: qs1 MAC IP VENDOR RADIO-ID WLAN VLAN STATE

--------------------------------------------------------------------------------

---------------------------------

Report end on RF-Domain: qs1

--------------------------------------------------------------------------------

---------------------------------

--------------------------------------------------------------------------------

---------------------------------

Report start on RF-Domain: Store-1 MAC IP VENDOR RADIO-ID WLAN VLAN STATE

--------------------------------------------------------------------------------

---------------------------------

00-01-02-03-04-10 2.3.4.16 3Com Corp 00-01-02-03-04-00:R1 sim-wlan-

1 1 Data-Ready 00-01-02-03-05-10 2.3.5.16 3Com Corp 00-01-02-03-04-00:R2 sim-wlan-

1 1 Data-Ready Report end on RF-Domain: Store-1

--------------------------------------------------------------------------------

---------------------------------

--------------------------------------------------------------------------------

---------------------------------

Report start on RF-Domain: default database not available Report end on RF-Domain: default

--------------------------------------------------------------------------------

---------------------------------

Total number of clients displayed: 2 rfs4000-22A24E#

The following examples show client-bridge related information:

NX9500(config)#show adoption status

--------------------------------------------------------------------------------

-------

DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME

--------------------------------------------------------------------------------

-------

ap6562-167598 5.9.1.0-017DB configured No NX9500 0 days 00:01:59 0 days 00:03:22

--------------------------------------------------------------------------------

-------

Total number of devices displayed: 1 NX9500(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 183 SHOW COMMANDS NX9500(config)#show wireless bridge on ap6562-167598

--------------------------------------------------------------------------------

-----------------

LOCAL RADIO LOCAL BSSID SELECTED AP RF-BAND CHANNEL STATE UP TIME ACTIVITY

(sec ago)

--------------------------------------------------------------------------------

-----------------

ap6562-167598:R2 FC-0A-81-16-69-50 B4-C7-99-CA-A1-F0 5GHz 104 Selected 0 days 00:01:55 00:00:00

--------------------------------------------------------------------------------

-----------------

Total number of radios displayed: 1 NX9500(config)#

NX9500(config)#show wireless bridge config

--------------------------------------------------------------------------------

------------------------------------------------------------

IDX NAME MAC PROFILE RF-DOMAIN SSID BAND ENCRYPTION AUTHENTICATION EAP-USERNAME

--------------------------------------------------------------------------------

------------------------------------------------------------

1 ap6562-167598 FC-0A-81-16-75-98 default-ap6562 default inf_ap 2.4GHz/5GHz ccmp eap hoabeo

--------------------------------------------------------------------------------

------------------------------------------------------------

NX9500(config)#

NX9500(config)#show wireless bridge hosts

-----------------------------------------------------------------------------

HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY

(sec ago)

-----------------------------------------------------------------------------

FC-0A-81-16-75-98 FC-0A-81-16-69-50 172.16.34.55 UP 00:00:00

-----------------------------------------------------------------------------

Total number of hosts displayed: 1 NX9500(config)#

NX9500(config)#show wireless bridge statistics

--------------------------------------------------------------------------------

-------

LOCAL RADIO CONNECTED AP SIGNAL SNR TX-RATE RX-RATE Tx Rx RETRY

(dbm) db (Mbps) (Mbps) bps bps AVG

--------------------------------------------------------------------------------

-------

ap6562-167598:R2 B4-C7-99-CA-A1-F0 -52 50 53 36 1 k 3 k 10

--------------------------------------------------------------------------------

-------

Total number of radios displayed: 1 NX9500(config)#

NX9500(config)#show wireless bridge candidate-ap on ap6562-167598 Client Bridge Candidate APs:

AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS B4-C7-99-CA-A1-F0 5 GHz 104 -39 selected Total number of candidates displayed: 1 NX9500(config)#

NX9500(config)#show wireless bridge certificate status on ap6562-167598 Certificate Last Updated Status: Thu Jul 23 11:41:40 2017 NX9500(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 184 SHOW COMMANDS 6.1.77 wwan show commands Displays wireless WAN status Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}

Parameters show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}

wwan configuration status on <DEVICE-OR-

DOMAIN-NAME>

Displays wireless WAN configuration and status details Displays wireless WAN configuration information Displays wireless WAN status information The following keyword is common to the configuration and status parameters:

on <DEVICE-OR-DOMAIN-NAME> Optional. Displays configuration or status details on a specified device or RF Domain

<DEVICE-OR-DOMAIN-NAME> Specify the AP, wireless controller, service platform, or RF Domain name. Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan configuration

>>> WWAN Configuration:

+-------------------------------------------

| Access Port Name : isp.cingular

| User Name : testuser

| Cryptomap : map1

+-------------------------------------------

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan status

>>> WWAN Status:

+-------------------------------------------

| State : ACTIVE

| DNS1 : 209.183.54.151

| DNS2 : 209.183.54.151

+-------------------------------------------

rfs4000-229D58(config-device-00-23-68-22-9D-58)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 185 SHOW COMMANDS 6.1.78 virtual-machine show commands Displays the virtual-machine (VM) configuration, logs, and statistics Supported in the following platforms:

Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show virtual-machine [configuration|debugging|export|statistics]

show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|

team-vowlan} {(on <DEVICE-NAME>)}

show virtual-machine debugging {level|on}

show virtual-machine debugging {level [debug|error|info|warning]} {on <DEVICE-

NAME>}

show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}

show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}

Parameters show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|

team-vowlan} {(on <DEVICE-NAME>)}

virtual-machine configuration statistics

[<VM-NAME>|

team-urc|team-rls|

team-vowlan]

Displays the following VM-related information: configuration or statistics Displays detailed VM configuration Displays VM statistics The following keywords are common to the configuration and statistics parameters:

<VM-NAME> Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. team-urc Optional. Displays TEAM-URC (IP-PBX) VM configuration/statistics team-rls Optional. Displays TEAM-RLS (Radio Link Server) VM configuration/

statistics team-vowlan Optional. Displays TEAM-VoWLAN (Voice over WLAN) VM configuration/statistics on <DEVICE-NAME>

Optional. Specifies the name of the device on which the command is executed

<DEVICE-NAME> Specify the name of the service platform. show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}

{(on <DEVICE-NAME>)}

virtual-machine configuration statistics Displays the following VM-related information: configuration or statistics Displays detailed VM configuration Displays VM statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 186 SHOW COMMANDS

[<VM-NAME>|adsp|

team-cmt]

on <DEVICE-NAME>

The following keywords are common to the configuration and statistics parameters:

<VM-NAME> Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. adsp Optional. Displays Air-Defense Services Platform (ADSP) VM configuration/

statistics team-cmt Optional. Displays TEAM-CMT VM configuration/statistics These keywords are specific to the NX9500 and NX9510 service platforms. Optional. Specifies the name of the device on which the command is executed

<DEVICE-NAME> Specify the name of the service platform. show virtual-machine debugging {level[debug|error|info|warning]} {on <DEVICE-

NAME>}

virtual-machine debugging level [debug|

error|info|warning]

on <DEVICE-NAME>

Displays the following VM-related information: configuration or statistics Displays VM logs Optional. Displays VM logs based on the level selected. The available options are:

debug Displays VM logs of level debug and above error Displays VM logs of level error info Displays VM logs of level Info and above warning Displays logs of level warning and above The NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM debugging logs. Optional. Specifies the name of the device on which the command is executed

<DEVICE-NAME> Specify the name of the service platform. show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}

virtual-machine export

<VM-NAME>

on <DEVICE-NAME>

Displays the following VM-related information: configuration or statistics Displays VM configuration export related information Displays VM configuration export related information for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. The NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM configuration export information Optional. Specifies the name of the device on which the command is executed

<DEVICE-NAME> Specify the name of the service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 187 SHOW COMMANDS Example nx9500-6C874D#show virtual-machine statistics

--------------------------------------------------------------------------------

NAME STATE VCPUS MEM (MB) BRIDGE-IF IP

--------------------------------------------------------------------------------

WiNG - - 18432 - -

adsp Halted - - unknown -

team-cmt Halted - - unknown -

--------------------------------------------------------------------------------

nx9500-6C874D#

nx9500-6C874D#show virtual-machine configuration

--------------------------------------------------------------------------------

NAME AUTOSTART MEMORY(MB) VCPUS

--------------------------------------------------------------------------------

WiNG - 18432 -

adsp ignore 12000 12 team-cmt ignore 1024 1

--------------------------------------------------------------------------------

nx9500-6C874D#

nx9500-6C874D>show virtual-machine statistics adsp VM name: adsp Base Version : unknown Install Status : not_installed nx9500-6C874D>

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 188 SHOW COMMANDS 6.1.79 raid show commands Displays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log. Use this command to assess the RAID arrays drive utilization and whether the drives are currently online. Since there is only one RAID array controller reporting status to the service platform, it is important to know if other drive s house hot spare drives as additional resources should one of the dedicated drives fail. This command also displays whether a physical within the RAID array has a drive installed, and whether the drive is currently online. Supported in the following platforms:

Service Platforms NX9500 Syntax show raid {on <DEVICE-NAME>}

Parameters show raid {on <DEVICE-NAME>}

raid on <DEVICE-NAME> Optional. Displays RAID status and statistics on a specified device Displays the RAID array status and statistics

<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C874D(config)#show raid Logical drive info:

Size 930 GB, State optimal Alarm enabled Last check: Sat Aug 10 02:56:54 2013 Last check result: ending Physical drive info:

Drive 0: online Drive 1: online Drive 2: not-installed Drive 3: not-installed Drive 4: not-installed nx9500-6C874D(config)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 189 7 PROFILES Profiles enable administrators to assign a common set of configuration parameters, policies, and WLANs to service platforms, controllers, and access points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. The service platforms, wireless controllers, and access points support both default and user-defined profiles. Each default and user-defined profile contains policies and configurations that are applied to devices assigned to the profile. Changes made to these configurations are automatically inherited by the devices. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations. Default profiles are system maintained and are automatically applied to service platforms and wireless controllers. The default AP profile is automatically applied to a AP (discovered by a wireless controller or service platform), unless an AP auto-provisioning policy is defined specifically to assign APs to a user-

defined profile. After adoption, changes made to a profiles parameters are reflected across all devices using the profile. Default profiles are ideal for single site deployments where service platforms, wireless controllers, and access points share a common configuration. User-defined profiles, on the other hand, are manually created for each supported service platform, wireless controller, and access point model. User-defined profiles are recommended for larger deployments using centralized controllers and service platforms when groups of devices on different floors, buildings or sites share a common configuration. These user-defined profiles can be manually, or automatically assigned to through an auto provisioning policy. An auto provisioning policy provides the means to assign profiles to access points based on model, serial number, VLAN ID, DHCP options, IP address (subnet) and MAC address. For more information, see AUTO-PROVISIONING-POLICY. Each default and user-defined profile contains policies and configuration parameters. A user defined profile can be created for each of the following device type:

AP6521 Adds an AP6521 access point profile AP6522 Adds an AP6522 access point profile AP6532 Adds an AP6532 access point profile AP6562 Adds an AP6562 access point profile AP7161 Adds an AP7161 access point profile AP7502 Adds an AP7502 access point profile AP7522 Adds an AP7522 access point profile AP7532 Adds an AP7532 access point profile AP7562 Adds an AP7562 access point profile AP7602 Adds an AP7602 access point profile AP7612 Adds an AP7612 access point profile AP7622 Adds an AP7622 access point profile AP7632 Adds an AP7632 access point profile AP7662 Adds an AP7662 access point profile AP81XX Adds an AP81XX access point profile supporting the AP8132 and AP8163 models AP8232 Adds an AP8232 access point profile AP8432 Adds an AP8432 access point profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1 PROFILES AP8533 Adds an AP8533 access point profile EX3524 Adds an EX3524 wireless controller profile EX3548 Adds an EX3548 wireless controller profile RFS4000 Adds an RFS4000 wireless controller profile RFS6000 Adds an RFS6000 wireless controller profile NX5500 Adds an NX5500 wireless controller profile NX7500 Adds an NX75XX series service platform profile supporting the NX7510, NX7520, and NX7530 models NX9000 Adds an NX95XX series service platform profile supporting the NX9500 and NX9510 models NX9600 Adds an NX96XX series service platform profile supporting the NX9600 and NX9610 models. Supported only on an NX96XX model device. VX9000 Adds a VX9000 wireless controller profile T5 Adds a T5 controller profile NOTE: A T5 profile can be created only on the following platforms:

RFS4000, RFS6000, NX9500, NX9510, and NX9600. Although profiles assign a common set of configuration parameters across devices, individual devices can still be assigned unique configuration parameters that follow the flat configuration model. As individual device updates are made, these devices no longer share the profile based configuration they originally supported. Therefore, changes made to a profile are not automatically inherited by devices who have had their configuration customized. These devices require careful administration, as they cannot be tracked as profile members. Their customized configurations overwrite their profile configurations until the profile is re-applied. NOTE: The commands present under Profiles are also available under the Device mode. The additional commands specific to the Device mode are listed separately. This chapter is organized into the following topics:

Profile Config Commands Device Config Commands T5 Profile Config Commands EX3524 & EX3548 Profile/Device Config Commands To view the list of device profiles supported, use the following command:

<DEVICE>(config)#profile ?

anyap Any access point profile ap650 AP650 access point profile ap6511 AP6511 access point profile ap6521 AP6521 access point profile ap6522 AP6522 access point profile ap6532 AP6532 access point profile ap6562 AP6562 access point profile ap71xx AP7161 access point profile ap7502 AP7502 access point profile ap7522 AP7522 access point profile ap7532 AP7532 access point profile ap7562 AP7562 access point profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2 PROFILES ap81xx AP81XX access point profile ap82xx AP8232 access point profile ap8432 AP8432 access point profile ap8533 AP8533 access point profile containing Specify profiles that contain a sub-string in the profile name ex3524 EX3524 wireless controller profile ex3548 EX3548 wireless controller profile filter Specify addition selection filter nx5500 NX5500 wireless controller profile nx75xx NX75XX wireless controller profile nx9000 NX9000 wireless controller profile nx9600 NX9600 wireless controller profile rfs4000 RFS4000 wireless controller profile rfs6000 RFS6000 wireless controller profile rfs7000 RFS7000 wireless controller profile t5 T5 wireless controller profile vx9000 VX9000 wireless controller profile

<DEVICE>(config)#

rfs6000-37FABE(config)#profile rfs6000 default-rfs6000 rfs6000-37FABE(config-profile-default-rfs6000)#

rfs6000-37FABE(config)#profile ap71xx default-ap71xx rfs6000-37FABE(config-profile-default-ap71xx)#

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#

<DEVICE>(config-profile-<PROFILE-NAME>)#?

Profile Mode commands:

adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-mode Configure the adoption mode for the access-points in this RF-Domain alias Alias application-policy Application Poicy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) controller WLAN controller configuration critical-resource Critical Resource crypto Encryption related commands database Database command device-onboard Device-onboarding configuration device-upgrade Device firmware upgrade diag Diagnosis of packets dot1x 802.1X dpi Enable Deep-Packet-Inspection

(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged frames eguest-server Enable ExtremeGuest Server functionality email-notification Email notification configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3 PROFILES enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located gre GRE protocol http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X management-server Configure management server address memory-profile Memory profile to be used on the device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Time interval to check controller connectivity after configuration is received mint MiNT protocol misconfiguration-recovery-time Check controller connectivity after configuration is received neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event otls Omnitrail Location Server power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remote-debug Configure remote debug parameters remove-override Remove configuration item override from the device (so profile value takes effect) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4 PROFILES rf-domain-manager RF Domain Manager router Dynamic routing slot PCI expansion Slot spanning-tree Spanning tree traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal

<DEVICE>(config-profile-<PROFILE-NAME>)#

<DEVICE>(config-profile-<T5-PROFILE-NAME>)#?

T5 Profile Mode commands:

cpe T5 CPE configuration interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults ntp Configure NTP override-wlan Configure RF Domain level overrides for wlan t5 T5 configuration t5-logging Modify message logging facilities use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal

<DEVICE>(config-profile-<T5-PROFILE-NAME>)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5 PROFILES

<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#?

EX3500 Profile Mode commands:

interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power Ex3500 Power over Ethernet Command upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal

<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#

NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 6 PROFILES 7.1 Profile Config Commands PROFILES The following table summarizes profile configuration mode commands:

Description Enables the use of a centralized auto provisioning policy on this profile Reference page 7-11 Command adopter-auto-

provisioning-

policy-lookup adoption alias application-

policy area arp auto-learn autogen-

uniqueid autoinstall bridge captive-portal Configures a minimum and maximum delay time in the initiation of the device adoption process Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the profile level Associates a RADIUS server provided application policy with this profile. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane. Sets the systems area of location (the area name) Configures static address resolution protocol Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a devices host name via DHCP options. Auto-generates a unique local ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device. Configures the automatic install feature Configures bridge specific parameters Configures captive portal advanced Web page upload on a device profile Enables Cisco Discovery Protocol (CDP) on a device Configures a cluster name Enables persistence of configuration across reloads cdp cluster configuration-

persistence controller critical-resource Monitors resources that are critical to the health of the service platform, Configures a wireless controller or service platform crypto database wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses. Configures data encryption related protocols and settings Backs up captive-portal and/or NSight database to a specified location and file and configures a low-disk-space threshold value device-onboard Configures the logo image file name and title displayed on the EGuest device-onboarding portal. This is the portal a vendor-admin user uses to onboard devices. device-upgrade Configures device firmware upgrade settings on this profile diag Enables looped packet logging page 7-13 page 7-15 page 7-22 page 7-24 page 7-25 page 7-27 page 7-28 page 7-30 page 7-31 page 7-62 page 7-63 page 7-64 page 7-67 page 7-68 page 7-72 page 7-80 page 7-143 page 7-144 page 7-145 page 7-147 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 7 PROFILES Command dot1x dpi dscp-mapping eguest-server

(VX9000 only) eguest-server

(NOC Only) email-

notification enforce-version environmental-

sensor events export file-sync floor gre http-analyze interface ip ipv6 l2tpv3 l3e-lite-table led led-timeout legacy-auto-

downgrade legacy-auto-

update lldp load-balancing logging mac-address-

table mac-auth Description Configures 802.1x standard authentication controls Enables Deep Packet Inspection (DPI) on this profile Configures an IP DSCP to 802.1p priority mapping for untagged frames Enables the EGuest daemon when executed without the host option Reference page 7-148 page 7-150 page 7-153 page 7-154 Points to the EGuest server, when executed along with the host option page 7-155 Configures e-mail notification settings Enables checking of a devices firmware version before attempting adoption or clustering Configures the environmental sensor settings on this profile (applicable to AP8132 model access point only) Enables system event logging and message generation. This command also configures event message forwarding settings. Enables export of startup.log file after every boot Configures parameters enabling synching of trustpoint and/or wireless-

bridge certificate between the staging-controller and adopted access point Sets the floor name where the system is located Enables Generic Routing Encapsulation (GRE) tunneling on this profile Configures HTTP analysis settings Configures an interface (VLAN, radio, GE, etc.) Configures IPv4 components Configures IPv6 components Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling layer 2 payloads using Virtual Private Networks (VPNs) Configures L3e Lite Table with this profile Turns device LEDs on or off Configures LED-timeout timer. This command is specific to the NX95XX series service platforms. Auto downgrades a legacy device firmware Auto upgrades a legacy device firmware Configures Link Layer Discovery Protocol (LLDP) Configures load balancing parameters Modifies message logging settings Configures the MAC address table Enables 802.1x user authentication protocol on this profile page 7-156 page 7-158 page 7-159 page 7-161 page 7-162 page 7-163 page 7-164 page 7-165 page 7-177 page 7-180 page 7-348 page 7-358 page 7-362 page 7-364 page 7-365 page 7-366 page 7-368 page 7-369 page 7-370 page 7-372 page 7-377 page 7-379 page 7-381 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 8 Configures the minimum device connectivity verification time Configures meshpoint monitoring interval Configures a meshpoint device parameters Description Configures a management server with this profile Command management-

server memory-profile Configures the memory profile used on the device meshpoint-

device meshpoint-

monitor-interval min-

misconfiguration

-recovery-time mint misconfiguration

-recovery-time neighbor-

inactivity-

timeout neighbor-info-

interval no Configures neighbor information exchange interval Configures neighbor inactivity timeout Configures MiNT protocol settings Verifies device connectivity after a configuration is received Removes or reverts settings to their default. The no command, when used in the profile configuration mode, removes the selected profiles settings or reverts them to their default. Configures NOC settings Configures NSight database related parameters Configures NTP server settings Configures support for detection and forwarding of OmniTrail beacon tags Sets the duration, in minutes, for which a device remains un-adopted before it generates offline event Configures the power mode Specifies the wireless controller or service platform group preferred for adoption Configures the tunnel wireless controller or service platform preferred by the system to tunnel extended VLAN traffic Configures device-level RADIUS authentication parameters Enables alarm on the array. This command is supported only on the NX9500 and NX9510 series service platform profile/device config modes. Enables devices using this profile to be elected as RF Domain manager. Also sets the priority value for devices using this profile in the RF Domain manager election process. Configures dynamic router protocol settings Configures spanning tree related settings Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority noc nsight ntp otls offline-duration power-config preferred-

controller-group preferred-

tunnel-controller radius raid rf-domain-

manager router spanning-tree traffic-class-

mapping PROFILES Reference page 7-384 page 7-385 page 7-386 page 7-388 page 7-389 page 7-390 page 7-397 page 7-398 page 7-399 page 7-400 page 7-402 page 7-403 page 7-408 page 7-411 page 7-414 page 7-415 page 7-417 page 7-418 page 7-419 page 7-493 page 7-420 page 7-421 page 7-423 page 7-426 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 9 Description Enables traffic shaping and configures traffic shaping parameters Configures the trustpoint assigned for validating a CMP auth Operator Command traffic-shape trustpoint

(profile-config-

mode) tunnel-controller Configures the name of tunneled WLAN (extended VLAN) wireless controller or service platform Uses pre configured policies with this profile Configures Virtual Router Redundancy Protocol (VRRP) group settings use vrrp vrrp-state-check Publishes interface via OSPF or BGP based on VRRP status virtual-controller Enables an access point as a virtual-controller (VC) or dynamic virtual controller (DVC). Note, DVC is supported only on the AP7522, AP7532, and AP7562 model access points. Enables support for 802.11 WEP shared key authentication wep-shared-

key-auth service zone Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. Configures the zone for devices using this profile. The zone can also be configured on the devices self context. PROFILES Reference page 7-428 page 7-434 page 7-436 page 7-437 page 7-443 page 7-447 page 7-448 page 7-450 page 7-451 page 7-456 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 10 PROFILES 7.1.1 adopter-auto-provisioning-policy-lookup Profile Config Commands Enables the use of a centralized auto provisioning policy on this profile. When enabled, the auto-

provisioning policy applied on the NOC gets precedence over the one applied at the site controller level. Optionally, use the evaluate-always option to set flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted. The devices previous adoption status is not taken into consideration. This command is also applicable in the device configuration context. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adopter-auto-provisioning-policy-lookup {evaluate-always}

Parameters adopter-auto-provisioning-policy-lookup {evaluate-always}

adopter-auto-

provisioning-policy-

lookup

{evaluate-always}

Enables the use of a centralized auto provisioning policy on this profile or device evaluate-always Optional. Sets flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted. Example rfs6000-81742D(config-profile-default-rfs6000)#adopter-auto-provisioning-policy-

lookup evaluate-always rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 interface wwan1 interface pppoe1 use firewall-policy default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 11 PROFILES logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp rfs6000-81742D(config-profile-default-rfs6000)#

Related Commands no Disables the application of centralized auto provisioning policy on this profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 12 PROFILES 7.1.2 adoption Profile Config Commands Configures a minimum and maximum delay time in the initiation of the device adoption process. When configured, devices do not attempt adoption immediately on coming up. The process is initiated after the lapse of a specified period of time (configured using this command as the start-delay minimum time). Once configured and applied, this setting is applicable on all devices using this profile. This option is also available in the device-configuration mode. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adoption start-delay min <0-30> max <0-30>

Parameters adoption start-delay min <0-30> max <0-30>

Delays start of device adoption process min <0-30> Configures the minimum time to lapse before a device attempts adoption start-delay min <0-30>

max <0-30>

adoption. Specify a value from 0 - 30 seconds. A device, on coming up, attempts adoption only after the lapse of the time specified here. The default is 5 seconds. max <0-30> Configures the maximum time to lapse before a device attempts adoption. Specify a value from 0 - 30 seconds. The default is 20 seconds. Example rfs6000-81742D(config-profile-default-rfs6000)#adoption start-delay min 10 max 30 rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 13 PROFILES interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp adoption start-delay min 10 max 30 rfs6000-81742D(config-profile-default-rfs6000)#

Related Commands no Removes the configured minimum start-delay value. When removed, devices attempt adoption immediately on coming up. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 14 PROFILES 7.1.3 alias Profile Config Commands Configures network, VLAN, and service aliases. The aliases defined on this profile applies to all devices using this profile. Aliases can be also defined at the device level. NOTE: You can apply overrides to aliases at the device level. Overrides applied at the device level take precedence. For more information on aliases, see alias. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|

network-service|number|string|vlan]

alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

alias host <HOST-ALIAS-NAME> <HOST-IP>

alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]

alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network

<NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}

alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|

gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|

ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|

www)}

alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias string <STRING-ALIAS-NAME> <LINE>

alias vlan <VLAN-ALIAS-NAME> <1-4094>

Parameters alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>

address-range

<ADDRESS-RANGE-

ALIAS-NAME>

Creates a new address-range alias for this profile. Or associates an existing address-

range alias with this profile. An address-range alias maps a name to a range of IP addresses. Use this option to create unique address-range aliases for different deployment scenarios. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 15 PROFILES For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location.

<ADDRESS-RANGE-ALIAS-NAME> Specify the address range alias name. Note: Alias name should begin with $. Associates a range of IP addresses with this address range alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.

<STARTING-IP>

to <ENDING-IP>

alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>

encrypted-string

<ENCRYPTED-

STRING-ALIAS-

NAME>

[0|2] <LINE>

Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.

<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step

[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:

nx9500-6C8809(config)#show running-config

!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//

!

--More--

nx9500-6C8809 In the above output, the 2 displayed before the encrypted-

string alias value indicates that the displayed text is encrypted and not a clear text. However, if password-encryption is disabled the clear text is displayed as is:

nx9500-6C8809(config)#show running-config

!...............................

!

alias encrypted-string $enString 0 test11223344

!

--More--

nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 16 PROFILES alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>

hashed-string

<HASHED-STRING-

ALIAS-NAME>

<LINE>

Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-

password.

<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config

!

alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv

!

alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ec fc75

--More--

nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>

host

<HOST-ALIAS-NAME>

<HOST-IP>

Creates a new host alias for this profile. Or associates an existing host alias with this profile. A host alias configuration is for a particular host devices IP address. Use this option to create unique host aliases for different deployment scenarios. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements.

<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias

<HOST-IP> Specify the network hosts IP address. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>

network

<NETWORK-ALIAS-

NAME>

Creates a new network alias for this profile. Or associates an existing network alias with this profile. A network alias configuration is utilized for an IP address on a particular network. Use this option to create unique Network aliases for different deployment scenarios. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements.

<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 17 PROFILES

<NETWORK-

ADDRESS/MASK>

Associates a single network with this network alias

<NETWORK-ADDRESS/MASK> Specify the networks address and mask. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to

<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|

network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]

network

<NETWORK-GROUP-

ALIAS-NAME>

address-range

<STARTING-IP>

to <ENDING-IP>

{<STARTING-IP>

to <ENDING-IP>}

host <HOST-IP>

{<HOST-IP>}

Creates a new network-group alias for this profile. Or associates an existing network-

group alias with this profile.

<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-

group alias elements at the device or profile level. After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Associates a range of IP addresses with this network-group alias

<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.

<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias

<HOST-IP> Specify the hosts IP address.

<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. network <NETWORK-

ADDRESS/MASK>

{<NETWORK-

ADDRESS/MASK>}

Associates a single or multiple networks with this network-group alias

<NETWORK-ADDRESS/MASK> Specify the networks address and mask.

<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|

eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|

https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|

telnet|tftp|www)}

alias network-service

<NETWORK-

SERVICE-ALIAS-

NAME>

Creates a new network-service alias for this profile. Or associates an existing network-

service alias with this profile. A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias.

<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 18 proto [<0-254>|

<WORD>|eigrp|gre|

igmp|igp|ospf|vrrp]

{(<1-65535>|

<WORD>|bgp|dns|

ftp|ftp-data|gopher|

https|ldap|nntp|ntp|

pop3|proto|sip|smtp|

sourceport

[<1-65535>|

<WORD>]|ssh|telnet|

tftp|www)}

PROFILES The network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-

service alias elements at the device or profile level. Note: Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Use one of the following options to associate an Internet protocol with this network-

service alias:

<0-254> Identifies the protocol by its number. Specify the protocol number from 0

- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.

<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.

<1-65535> Optional. Configures a destination port number from 1 - 65535

<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port

(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port

(21) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port

(123) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port

(5060). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 19 PROFILES sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.

<1-65535> Specify the source port from 1 - 65535.

<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) www Optional. Configures the default HTTP services port (80) alias number <NUMBER-ALIAS-NAME> <0-4294967295>

alias number

<NUMBER-ALIAS-

NAME>

<0-4294967295>

Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, alias number $NUMBER 100 The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100.

<NUMBER-ALIAS-NAME> Specify the number alias name.

<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Alias name should begin with $. alias string <STRING-ALIAS-NAME> <LINE>

alias string

<STRING-ALIAS-

NAME>

Creates a new string alias for this profile. Or associates an existing string alias with this profile. String aliases map a name to an arbitrary string value. Use this option to create unique string aliases for different deployment scenarios. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.

<VLAN-ALIAS-NAME> Specify the string alias name.

<LINE> Specify the string value. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias vlan <VLAN-ALIAS-NAME> <1-4094>

alias vlan

<VLAN-ALIAS-NAME>

Creates a new VLAN alias for this profile. Or associates an existing VLAN alias with this profile. A VLAN alias maps a name to a VLAN ID. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. Use this option to create unique VLANs aliases for different deployment scenarios. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 20 PROFILES At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location.

<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID

<1-4094> Specify the VLAN ID from 1 - 4094. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.

<1-4094>

Example The following example shows the global aliases configured. Note the network-service alias $kerberos settings. nx9500-6C8809(config)#show running-config | include alias alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 alias network-service $kerberos proto tcp 23 22 proto udp 25 alias vlan $VlanAlias 1 alias string $AREA Ecospace alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 2 CdO6glQ9w29hybKxfbd6JwAAAAa7lKMBMk9EiDQfFRf9kegO alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 nx9500-6C8809(config)#

The following examples show the overrides applied to the network-service alias $kerberos at the profile level:

nx9500-6C8809(config-profile-testRFS4k)#alias network-service $kerberos proto tcp 88 proto udp 389 nx9500-6C8809(config-profile-testRFS4k)#

The following example shows the overrides applied to the network-service alias $kerberos at the profile level:

nx9500-6C8809(config-profile-testRFS4k)#show running-config | include alias alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 alias network-service $kerberos proto tcp 23 22 proto udp 25 alias vlan $VlanAlias 1 alias string $AREA Ecospace alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 2 /Mfbt1Et8XRhybKxfbd6JwAAAAZ9yrIYq7mNl4+gNNiiMIZI alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 alias network-service $kerberos proto tcp 88 proto udp 389 nx9500-6C8809(config-profile-testRFS4k)#

Related Commands no Removes the use of centralized auto provisioning policy on this profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 21 PROFILES 7.1.4 application-policy Profile Config Commands Associates a RADIUS server provided application policy with this profile. This command is also applicable to the device configuration mode. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane. An application policy defines the actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. The following are the actions that can be applied in an application policy:

Allow - Allows packets for a specific application and its defined category type (for e.g., social networking) Deny - Denies (restricts) packets to a specific application and its defined category type Mark - Marks recognized packets with DSCP/8021p value Rate-limit - Rate limits packets from specific application type For more information on configuring an application policy, see application-policy. Supported in the following platforms:

Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-policy radius <APP-POLICY-NAME>

Parameters application-policy radius <APP-POLICY-NAME>

application-policy radius

<APP-POLICY-NAME>

Associates a RADIUS server provided application policy with this profile

<APP-POLICY-NAME> Specify the application policy name (should be existing and configured). Example nx9500-6C8809(config)#show context include-factory | include application-policy application-policy Bing no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy nx9500-6C8809(config)#

nx9500-6C8809(config-profile-testNX9500)#application-policy radius Bing nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include application-policy application-policy radius Bing nx9500-6C8809(config-profile-testNX9500)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 22 PROFILES nx9500-6C8809(config-application-Bing)#Show context application Bing app-category streaming use url-list Bing nx9500-6C8809(config-application-Bing)#

Related Commands no Removes the RADIUS-server provided application policy associated with this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 23 PROFILES 7.1.5 area Profile Config Commands Sets the systems area of location (the physical area of deployment) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax area <WORD>

Parameters area <WORD>

area <WORD>

Sets the systems area of location

<WORD> Specify the area name (should not exceed 64 characters). Example rfs6000-37FABE(config-profile-default-rfs6000)#area Ecospace rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 ip igmp snooping ip igmp snooping querier area Ecospace autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1

--More--

rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Resets the configured area name Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 24 PROFILES 7.1.6 arp Profile Config Commands Adds a static Address Resolution Protocol (ARP) IP address in the ARP cache The ARP protocol maps an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, ARP finds a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length, formatted, and sent to its destination. If no entry is found for the IP address, ARP broadcasts a request packet in a special format on the LAN to locate a device that recognizes the IP address. A device that recognizes the IP address as its own returns a reply indicating it. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax arp [<IP>|timeout]

arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-4>

<1-1> <1-1>] {dhcp-server|router}

arp timeout <15-86400>

Parameters arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-

4> <1-1> <1-1>] {dhcp-server|router}

arp <IP>

<MAC>

arpa

<L3-INTERFACE-

NAME>

pppoe1 vlan <1-4094>

wwan1

{dhcp-server|router}

Adds a static ARP IPv4 address in the ARP cache

<IP> Specify the static IP address. Specify the MAC address associated with the IP and the Switch Virtual Interface

(SVI). Sets ARP encapsulation type to ARPA Configures static ARP entry for a specified router interface

<L3-INTERFACE-NAME> Specify the router interface name. Configures static ARP entry for PPP over Ethernet interface Configures static ARP entry for a VLAN interface

<1-4094> Specify a SVI VLAN ID from 1 - 4094. Configures static ARP entry for Wireless WAN interface The following keywords are common to all off the above interface types:

dhcp-server Optional. Sets ARP entries for a DHCP server router Optional. Sets ARP entries for a router Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 25 PROFILES arp timeout <15-86400>

arp timeout

<15-86400>

Sets ARP entry timeout

<TIME> Sets the ARP entry timeout in seconds. Specify a value from 15 - 86400 seconds. The default is 3600 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000)#arp timeout 2000 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier arp timeout 2000 crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust

--More--

rfs6000-37FABE(config-profile-default-rfs7000)#

Related Commands no Removes an entry from the ARP cache Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 26 PROFILES 7.1.7 auto-learn Profile Config Commands Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a devices host name via DHCP options. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax auto-learn [host-name-via-dhcp <WORD>|staging-config]

Parameters auto-learn [host-name-via-dhcp <WORD>|staging-config]

auto-learn

[host-name-via-dhcp

<WORD>|

staging-config]

Enables auto-learning of:

host-name-via-dhcp A devices host name via DHCP option.

<WORD> Provide the optional template with substitution token. For example,

'outdoor-$DHCP[1:3]-ap', where the $DHCP token references DHCP Option value re-

ceived by the adopting device. The $DHCP token should be present. This option is dis-

abled by default. staging-config The network configuration of devices requesting adoption. This option is enabled by default. For dependent access points that are pre-staged prior to deployment, it is recommended that the auto-learn-staging-config parameter re-

mains enabled so that hostnames, VLAN and IP addressing configuration can be maintained upon initial adoption. However, if dependent access points are to be cen-

trally managed and configured, it is recommended that the auto-learn-staging-config parameter be disabled. Example nx9500-6C8809(config-profile-test)#auto-learn staging-config nx9500-6C8809(config-profile-test)#show context include-factory | include auto-

learn auto-learn staging-config no auto-learn host-name-via-dhcp nx9500-6C8809(config-profile-test)#

Related Commands no Disables automatic recognition of devices hostname and devices pending adoption Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 27 PROFILES 7.1.8 autogen-uniqueid Profile Config Commands Auto-generates a unique ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device. A devices unique ID is a combination of a user-defined string (prefix, suffix, or both) and a substitution token. The WiNG implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the devices serial number and MiNT-ID respectively. The value referenced by these substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for the device. The general format of this command is: <PREFIX><SUBSTITUTION-TOKEN><SUFFIX>. You can provide both (prefix and suffix) or just a prefix or suffix. For example, given the following set of inputs:

user-defined prefix TestAP6522 substitution token $SN The unique ID is generated using TestAP6522$SN, where $SN is replaced with the devices serial number. When executed on an AP6522 (having serial number B4C7996C8809), the autogen-uniqueid TestAP6522$SN command generates the unique ID: TestAP6522B4C7996C8809. When configured on an AP6522 profile, all AP6522s using the profile auto-generate a unique ID in which the devices serial number is preceded by the string TestAP6522. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax autogen-uniqueid <WORD>

Parameters autogen-uniqueid <WORD>

autogen-uniqueid

<WORD>

Auto-generates a devices unique ID (not exceeding 64 characters in length) The ID generated is a combination of the text provided and the value referenced through the substitution token $SN or $MiNT-ID. Where ever the autogen-uniqueid is used the devices serial number OR MiNT-ID is referenced depending on the substitution token used.

<WORD> Specify a auto generate unique ID format using one of the following substitution tokens:

Available tokens:

$SN - references SERIAL NUMBER of the device

$MINT-ID - references MINT-ID of the device For example, Test-$SN-TechPubs. In this example Test and TechPubs represent the user-defined prefix and suffix respectively. And $SN is the substitution token. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 28 PROFILES Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#autogen-uniqueid Test-$MiNT-ID-

TechPubs nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain TechPubs hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 timezone Asia/Calcutta use database-policy default use nsight-policy noc autogen-uniqueid Test-$MiNT-ID-TechPubs ip default-gateway 192.168.13.2 device-upgrade auto rfs6000 ap81xx ap71xx ap7562 ap7532 interface ge1 switchport mode access switchport access vlan 1 interface ge2

--More--

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Related Commands no When executed in the device configuration mode, removes the devices autogen-

uniqueid. When executed in the profile configuration mode, removes the autogen-

uniqueid on all devices using the profile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 29 PROFILES 7.1.9 autoinstall Profile Config Commands Automatically installs firmware image and startup configuration parameters on to the selected device. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax autoinstall [configuration|firmware|start-interval <WORD>]

Parameters autoinstall [configuration|firmware|start-interval <WORD>]

configuration firmware start-interval

<WORD>

Autoinstalls startup configuration. Setup parameters are automatically configured on devices using this profile. This option is disabled by default. Autoinstalls firmware image. Firmware images are automatically installed on devices using this profile. This option is disabled by default. Configures the interval between system boot and start of autoinstall process (this is the time, from system boot, after which autoinstall should start)

<WORD> Specify the interval in minutes. The default is 10 minutes. Note: Zero (0) implies firmware or startup configuration installation can start any time. Example rfs6000-37FABE(config-profile-default-rfs6000)#autoinstall configuration rfs6000-37FABE(config-profile-default-rfs6000)#autoinstall firmware rfs7000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier arp timeout 2000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust

--More--

rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Disables the auto install settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 30 PROFILES 7.1.10 bridge Profile Config Commands The following table summarizes Ethernet bridge configuration commands:

Command bridge bridge-vlan-

mode commands Description Enables Ethernet bridge configuration context Summarizes bridge VLAN configuration mode commands Reference page 7-32 page 7-35 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 31 PROFILES 7.1.10.1 bridge bridge Configures VLAN Ethernet bridging parameters. Use this command to configure a Bridge NAT or Bridge VLAN settings Configuring bridge Network Address Translation (NAT) parameters, allows management of Internet traffic originating at a remote site. In addition to traditional NAT functionality, bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using bridge NAT, a tunneled VLAN (extended VLAN) is created between the NOC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NOC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, bridge NAT identifies and segregates traffic heading towards the NOC and outwards towards the Internet. Traffic towards the NOC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet. A Virtual LAN (VLAN) is a separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within wireless controllers or service platforms to allow control of broadcast, multicast, unicast, and unknown unicast within a layer 2 device. For example, say several computers are used in conference room X and some in conference Y. The systems in conference room X can communicate with one another, but not with the systems in conference room Y. The VLAN enables the systems in conference rooms X and Y to communicate with one another even though they are on separate physical subnets. The systems in conference rooms X and Y are managed by the same single wireless controller or service platform, but ignore the systems that are not using the same VLAN ID. Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-

routable traffic, like tagged VLAN frames destined to some other device, which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate port(s). VLANs are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers can do this on their own, without need for the computer or other gear to know itself what VLAN it is on (this is called port-

based VLAN, since it is assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or quality of service. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Switch Note: For more information on the interface types and the devices support-

ing them, see interface. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 32 PROFILES Syntax bridge [nat|vlan]

bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface

[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address|interface|

overload|pool <NAT-POOL-NAME>)]

bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]

Parameters bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface

[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1]

[(address|interface|overload|pool <NAT-POOL-NAME>)]

nat source list

<IP-ACCESS-LIST-

NAME>

precedence <1-500>

interface

[<LAYER3-INTERFACE-

NAME>|

pppoe1|vlan <1-4094>|

wwan1]

[(address|interface|

overload|pool

<NAT-POOL-NAME>)]

Configures bridge NAT parameters Configures NAT source addresses Associates an access control list (ACL) with this bridge NAT policy. The ACL specifies the IP address permit/deny rules applicable to this bridge NAT policy.

<IP-ACCESS-LIST-NAME> Specify access list name. precedence <1-500> Specifies a precedence value for this bridge NAT policy. Selects one of the following as the primary interface (between the source and destination points):

<LAYER3-INTERFACE-NAME> A router interface. Specify interface name. pppoe1 A PPP over Ethernet interface. vlan <1-4094> A VLAN interface. Specify the VLAN interface index from 1 - 4094. wwan1 A Wireless WAN interface. The following keywords are recursive and common to all interface types:

address Configures the interface IP address used for NAT interface Configures the failover interface (default setting) overload Enables use of one global address for multiple local addresses

(terminates command) pool <NAT-POOLNAME> Configures the NAT pool used with this bridge NAT policy. Specify the NAT pool name. For more information on configuring a NAT pool, see nat-pool-config-instance. bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]

vlan <1-4094>

vlan <VLAN-ALIAS-

NAME>

Usage Guidelines Configures the numerical identifier for the Bridge VLAN when it was initially created.

<1-4094> Specify a VLAN index from 1 - 4094. Configures the VLAN alias (should be existing and configured) identifying the bridge VLAN

<VLAN-ALIAS-NAME> Specify a VLAN alias name. Creating customized filter schemes for bridged networks limits the amount of unnecessary traffic processed and distributed by the bridging equipment. If a bridge does not hear Bridge Protocol Data Units (BPDUs) from the root bridge within the specified interval, defined in the max-age (seconds) parameter, assume the network has changed and recomputed the spanning-tree topology. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 33 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#bridge vlan 1 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#?

Bridge VLAN Mode commands:

Bridge VLAN Mode commands:

bridging-mode Configure how packets on this VLAN are bridged captive-portal Captive Portal captive-portal-enforcement Enable captive-portal enforcement on this extended VLAN description Vlan description edge-vlan Enable edge-VLAN mode firewall Enable vlan firewall(IPv4) http-analyze Forward URL and Data to controller ip Internet Protocol (IP) ipv6 Internet Protocol version 6

(IPv6) l2-tunnel-broadcast-optimization Enable broadcast optimization l2-tunnel-forward-additional-packet-types Forward additional packet types not normally forwarded by l2 broadcast optimization mac-auth Enable mac-auth for this bridge vlan no Negate a command or set its defaults stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall tunnel Vlan tunneling settings tunnel-over-level2 Tunnel extended VLAN traffic over level 2 MiNT links use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 34 PROFILES 7.1.10.2 bridge-vlan-mode commands bridge The following table summarizes bridge VLAN configuration mode commands:

Command bridging-mode captive-portal captive-portal-

enforcement description edge-vlan firewall http-analyze ip ipv6 l2-tunnel-

broadcast-

optimization l2-tunnel-forward-

additional-packet-

types mac-auth no stateful-packet-

inspection-l2 tunnel tunnel-over-level2 use Description Configures how packets on this VLAN are bridged Enables IP packet snooping on wired captive portals, and also configures the subnet to snoop Enables auto-enforcement of captive portal rules on this extended VLAN interface Configures VLAN bridge description Enables edge VLAN mode Enables firewall on this bridge VLAN interface Enables the analysis of URLs and data traffic on this Bridge VLAN Configures IP components Configures IPv6 components Enables broadcast optimization Reference page 7-36 page 7-38 page 7-39 page 7-40 page 7-41 page 7-42 page 7-43 page 7-44 page 7-47 page 7-50 Enables forwarding of Wireless Network Management Protocol

(WNMP) packets across L2 tunnels. These WNMP packets are normally not forwarded if L2 tunnel broadcast optimization is enabled. Enables MAC authentication for Extended VLAN and Tunneled traffic page 7-51 page 7-54 Negates a command or reverts settings to their default page 7-56 Enables stateful packet inspection in the layer 2 fire wall page 7-53 Enables tunneling of unicast messages to unknown MAC destinations, on the selected VLAN bridge Enables extended VLAN traffic over level 2 MiNT links Associates a captive-portal, access control list (IP, IPv6, or MAC), and a URL filter with this bridge VLAN page 7-57 page 7-59 page 7-60 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 35 PROFILES 7.1.10.2.1 bridging-mode bridge-vlan-mode commands Configures how packets are bridged on the selected VLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bridging-mode [auto|isolated-tunnel|local|tunnel]

Parameters bridging-mode [auto|isolated-tunnel|local|tunnel]

bridging-mode auto isolated-tunnel local tunnel Configures the VLAN bridging mode Automatically selects the bridging mode to match the WLAN, VLAN and bridging mode configurations. When selected, the controller or access point determines the best bridging mode for the VLAN. (default setting) Bridges packets between local Ethernet ports and local radios, and passes tunneled packets through without de-tunneling Select this option for a dedicated tunnel for bridging VLAN traffic. Bridges packets normally between local Ethernet ports and local radios (if any) Local mode is typically configured in remote branch offices where traffic on remote private LAN segments need to be bridged locally. Local mode implies that traffic, wired and wireless, is to be bridged locally. Bridges packets between local Ethernet ports, local radios, and tunnels to other APs, wireless controllers, or service platforms Select this option to use a shared tunnel for bridging VLAN traffic. In tunnel mode, the traffic at the AP is always forwarded through the best path. The APs decide the best path to reach the destination and forward packets accordingly. Setting the VLAN to tunnel mode ensures packets are bridged between local Ethernet ports, any local radios, and tunnels to other APs, wireless controllers, and service platforms. Usage Guidelines ACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 36 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#bridging-mode isolated-tunnel rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Resets bridging mode to auto Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 37 PROFILES 7.1.10.2.2 captive-portal bridge-vlan-mode commands Enables IP (IPv4 and IPv6) packet snooping on wired captive portals, and also configures the subnet to snoop. When enabled, IP packets received from wired captive portal clients, on the specified subnet, are snooped to learn IP to MAC mapping. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-

address <IPv4|IPv6>}

Parameters captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-

address <IPv4|IPv6>}

captive-portal

[ipv4-snooping|

ipv6-snooping]

subnet <IPv4/M|

IPv6/M>

excluded-address

<IPv4|IPv6>

Enables snooping of IPv4 or IPv6 packets (based on the option selected) for wired captive portal clients Enables IPv4 or IPv6 packet snooping on a specified subnet

<IPv4/M|IPv6/M> Specify the subnet address in the A.B.C.D/M or X:X::X:X/M format to identify an IPv4 or IPv6 subnet respectively. When specified, this is the IPv4/IPv6 subnet on which IP packets are to be snooped. Optional. Configures the IPv4 or IPv6 address excluded from snooping within the specified IPv4|IPv6 subnet.

<IPv4|IPv6> Specify the IPv4 or IPv6 address. Use this parameter to configure the gateways address. Example nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7 nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#show context bridge vlan 4 captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#

Related Commands no Disables IP packet snooping on wired captive portals Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 38 PROFILES 7.1.10.2.3 captive-portal-enforcement bridge-vlan-mode commands Enables auto-enforcement of captive portal rules on this extended VLAN interface. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}

Parameters captive-portal-enforcement {fallback}

captive-portal-

enforcement fall-back Enables auto-enforcement of captive portal access permission rules to data transmitted over this extended VLAN interface. When enforced, wired network users can pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user is allowed access. A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals capture and re-direct a wired/wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the network. Optional. If enabling source MAC authentication for Extended VLAN and tunneled traffic on this bridge VLAN, use this option to enforce captive-portal authentication as the fall-back mode of authentication in case MAC authentication fails. Example nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#show context bridge vlan 20 captive-portal-enforcement ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#

Related Commands no Disables auto-enforcement of captive portal rules on this extended VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 39 PROFILES 7.1.10.2.4 description bridge-vlan-mode commands Configures this extended VLANs description Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7632, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>

Parameters description <WORD>

description <WORD>

Configures a description for this VLAN bridge

<WORD> Enter a description. The description should be unique to the VLANs specific configuration to help differentiate it from other VLANs with similar configurations. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#description This is a description for the bridged VLAN rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description "This is a description for the bridged VLAN"

bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Removes VLANs description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 40 PROFILES 7.1.10.2.5 edge-vlan bridge-vlan-mode commands Enables the edge VLAN mode. In the edge VLAN mode, a protected port does not forward traffic to another protected port on the same wireless controller or service platform. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax edge-vlan Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#edge-vlan rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables the edge VLAN mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 41 PROFILES 7.1.10.2.6 firewall bridge-vlan-mode commands Enables IPv4 firewall on this bridge VLAN interface. This feature is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax firewall Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#firewall rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables firewall on this bridge VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 42 PROFILES 7.1.10.2.7 http-analyze bridge-vlan-mode commands Enables the analysis of URLs and data traffic on this Bridge VLAN. When enabled, URLs and data are forwarded to the controller running the HTTP analytics engine. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze {filter [images|post|query-string]}

Parameters http-analyze {filter [images|post|query-string]}

http-analyze filter [images|post|

query-string]

Enables URL and HTTP data analysis. Optionally use the filter keyword to filter out specific URLs filter Optional. Filters out specific URLs images Filters out URLs referring to images post Filters out URLs referring to POSTs query-string Filters out query strings received from URLs Example rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#http-analyze filter images rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#show context bridge vlan 4 http-analyze filter images rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#

Related Commands no Disables forwarding of URLs and data to the controller running the HTTP analytics engine Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 43 PROFILES 7.1.10.2.8 ip bridge-vlan-mode commands Configures VLAN bridge IP components Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp|igmp]

ip [arp|dhcp] trust ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count|

mrouter|querier}

ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count

<1-7>}

ip igmp snooping {mrouter [interface|learn]}

ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ip igmp snooping {querier} {address|max-response-time|timer|version}

ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|timer expiry

<60-300>|version <1-3>}

Parameters ip [arp|dhcp] trust ip arp trust dhcp trust Configures the VLAN bridge IP parameters Configures the ARP trust parameter. Trusted ARP packets are used to update the DHCP snoop table to prevent IP spoof and arp-cache poisoning attacks. This option is disabled by default. trust Trusts ARP responses on the VLAN bridge Configures the DHCP trust parameter. Uses DHCP packets, from a DHCP server, as trusted and permissible within the access point, wireless controller, or service platform managed network. DHCP packets are used to update the DHCP snoop table to prevent IP spoof attacks. This feature is enabled by default. trust Trusts DHCP responses on the VLAN bridge ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count

<1-7>}

ip igmp snooping Configures the VLAN bridge IP parameters Configures Internet Group Management Protocol (IGMP) snooping parameters. IGMP snooping is enabled by default. IGMP establishes and maintains multicast group memberships for interested members. Multicasting allows a networked device to listen to IGMP network traffic and forward IGMP multicast packets to radios on which the interested hosts are connected. The device also maintains a map of the links that require multicast streams, there by reducing unnecessary flooding of the network with multicast traffic. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 44 PROFILES fast-leave forward-unknown-

multicast last-member-query-

count <1-7>

Optional. Enables fast leave processing. When enabled, layer 2 LAN interfaces are removed from the IGMP snooping forwarding table entry without initially sending IGMP group-specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This option is disabled by default. This feature is supported only on the AP7502, AP8232, AP8533 model access points. Optional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default. Optional. Configures the last member query count used in determining the number of group-specific queries sent before removing the snoop entry

<1-7> Specify the count from 1 - 7. The default value is 2. ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ip igmp snooping mrouter interface

<INTERFACE-LIST>

learn pim-dvmrp Configures the VLAN bridge IP parameters Configures the IGMP snooping parameters Optional. Configures the multicast router parameters Configures the multicast router interfaces. This option is disabled by default.

<INTERFACE-LIST> Specify a comma-separated list of interface names. Configures the multicast router learning protocols. This option is disabled by default. pim-dvmrp Enables Protocol-Independent Multicast (PIM) and Distance-Vector Multicast Routing Protocol (DVMRP) snooping of packets ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|

timer expiry <60-300>|version <1-3>}

ip igmp snooping querier address <IP>

Configures the VLAN bridge IP parameters Configures the IGMP snooping parameters Optional. Configures the IGMP querier parameters. This option is disabled by default. Enables IGMP querier. IGMP snoop querier keeps host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present. The access point, wireless controller, or service platform performs the IGMP querier role. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. Optional. Configures the IGMP querier source IP address. This address is used as the default VLAN querier IP address.

<IP> Specify the IGMP querier source IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 45 PROFILES max-response-time

<1-25>

Optional. Configures the IGMP querier maximum response time. This option is disabled by default.

<1-25> Specify the maximum response time from 1 - 25 seconds. The access point, wireless controller, or service platform forwards multicast packets only to radios present in the snooping table. IGMP reports from wired ports are forwarded to the multicast router ports. If no reports are received from a radio, it is removed from the snooping table. The radio then stops receiving multicast packets. timer expiry <60-300> Optional. Configures the IGMP querier expiry time. The value specified is used as the timeout interval for other querier resources. This option is disabled by default. expiry Configures the IGMP querier timeout version <1-3>

<60-300> Specify the IGMP querier timeout from 60 - 300 seconds. Optional. Configures the IGMP version. This option is disabled by default.

<1-3> Specify the IGMP version. The versions are 1- 3. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip arp trust rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip dhcp trust rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter interface ge1 ge2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter learn pim-dvmrp rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier max-response-time 24 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier timer expiry 100 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier version 2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier ip igmp snooping querier version 2 ip igmp snooping querier max-response-time 24 ip igmp snooping querier timer expiry 100 ip igmp snooping mrouter interface ge2 ge1 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables or reverts the VLAN Ethernet bridge parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 46 PROFILES 7.1.10.2.9 ipv6 bridge-vlan-mode commands Configures this VLAN bridges IPv6 components Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|firewall|mld|nd]

ipv6 dhcpv6 trust ipv6 firewall ipv6 mld snooping {forward-unknown-multicast|mrouter|querier}

ipv6 mld snooping {forward-unknown-multicast}

ipv6 mld snooping {mrouter [interface|learn]}

ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ipv6 mld snooping {querier} {max-response-time|timer|version}

ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|

version <1-2>}

ipv6 nd raguard Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Configures the VLAN bridge IPv6 parameters Enables the DHCPv6 trust option. When enabled all DHCPv6 responses are trusted on this bridge VLAN. This option is enabled by default. trust Trusts DHCPv6 responses on this bridge VLAN ipv6 firewall ipv6 firewall Configures the VLAN bridge IPv6 parameters Enables IPv6 firewall on this bridge VLAN. This option is enabled by default. Devices utilizing IPv6 addressing require firewall protection unique to IPv6 traffic. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. Routers respond to such a request with a router advertisement (RA) packet that contains Internet layer configuration parameters. ipv6 mld snooping {forward-unknown-multicast}

ipv6 Configures the VLAN bridge IPv6 parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 47 PROFILES mld snooping forward-unknown-

multicast Configures Multicast Listener Discovery Protocol (MLD) snooping parameters MLD snooping enables a access point, wireless controller, or service platform to examine MLD packets and make forwarding decisions based on the content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or access point VLANs. When enabled, MLD messages between hosts and multicast routers are examined to identify the hosts receiving multicast group traffic. The access point, wireless controller, or service platform forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. This option is enabled by default. Optional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default. ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}

ipv6 mld snooping mrouter interface

<INTERFACE-LIST>

learn pim-dvmrp Configures the VLAN bridge IPv6 parameters Configures MLD snooping parameters. This option is enabled by default. Optional. Configures the multicast router parameters, such as interfaces and learning protocol used. Configures the multicast router interfaces. This option is disabled by default.

<INTERFACE-LIST> Specify a comma-separated list of interface names. Configures the multicast router learning protocols. This option is disabled by default. pim-dvmrp Enables PIM and DVMRP snooping of packets ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|

version <1-2>}

ipv6 mld snooping querier max-response-time

<1-25000>

Configures the VLAN bridge IPv6 parameters Configures IPv6 MLD snooping parameters. This option is disabled by default. Optional. Enables and configures the MLD querier parameters. When enabled, the device (access point, wireless controller, and service platform) sends query messages to discover which network devices are members of a given multicast group. This option is disabled by default. Optional. Configures the IPv6 MLD queriers maximum response time. This option is disabled by default.

<1-25000> Specify the maximum response time from 1 - 25000 milliseconds. timer expiry <60-300> Optional. Configures the IPv6 MLD other queriers timeout. This option is disabled version <1-2>

by default.

<60-300> Specify the MLD other queriers timeout from 60 - 300 seconds. Optional. Configures the IPv6 MLD querier version. This option is disabled by default.

<1-2> Specify the MLD version. The versions are 1- 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 48 PROFILES ipv6 nd raguard ipv6 nd raguard Configures the VLAN bridge IPv6 parameters Allows router advertisement (RA) or ICMPv6 redirects on this VLAN bridge. This option is enabled by default. Example rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 dhcpv6 trust rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 firewall rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping forward-

unknown-multicast rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter interface ge1 ge2 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter learn pim-dvmrp rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier max-

response-time 20000 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier timer expiry 200 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier version 2 rfs7000-37FABE(config-profile test-bridge-vlan-2)#show context bridge vlan 2 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier ipv6 mld snooping mrouter interface ge2 ge1 ipv6 mld snooping querier version 2 ipv6 mld snooping querier max-response-time 20000 ipv6 mld snooping querier timer expiry 200 rfs7000-37FABE(config-profile test-bridge-vlan-2)#

Related Commands no Disables or reverts the VLAN Ethernet bridge IPV6 parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 49 PROFILES 7.1.10.2.10 l2-tunnel-broadcast-optimization bridge-vlan-mode commands Enables broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are filtered at the wireless controller level. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2-tunnel-broadcast-optimization Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#l2-tunnel-broadcast

-optimization rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN l2-tunnel-broadcast-optimization bridging-mode isolated-tunnel ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier ip igmp snooping mrouter interface ge2 ge1 ip igmp snooping querier version 2 ip igmp snooping querier max-response-time 24 ip igmp snooping querier timer expiry 100 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables L2 tunnel broadcast optimization Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 50 PROFILES 7.1.10.2.11 mac-auth bridge-vlan-mode commands Enables source MAC authentication for Extended VLAN and tunneled traffic (MiNT and L2TPv3) on this bridge VLAN NOTE: If enabling MAC authentication, ensure that an AAA policy is configured and for enforcing MAC Authentication. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-auth {attempts <1-5>|throttle <0-255>}

Parameters mac-auth {attempts <1-5>|throttle <0-255>}]

mac-auth attempts <1-5>

Enables MAC Authentication Optional. Configures the maximum number of retries allowed for MAC authentication requests.

<1-5> Specify the maximum allowed authentication retries from 1 - 5. The default is 3. throttle <0-255>

Optional. Configures the throttle value for MAC authentication requests

<0-255> Specify the MAC authentication request throttle value from 0 -255. The default is 64. Usage Guidelines Applying AAA Policy for MAC Authentication To enable MAC authentication, Create an AAA policy. nx9500-6C8809(config)#aaa-policy MAC-Auth Use the AAA policy on the device for MAC Authentication. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#mac-auth use aaa-policy MAC-Auth In the bridge VLAN context, enable MAC Authentication, nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth Optionally, configure the following MAC Authentication parameters. If not specified, default values are applied. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth attempts 2 nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth throttle 100 Usage Guidelines Enabling Fall-back Captive Portal Authentication To enable fall-back captive-portal authentication on the bridge VLAN, apply a captive-portal policy to the bridge VLAN. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#use captive-portal test Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 51 PROFILES enable captive-portal authentication as the fall-back authentication mode. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#captive-portal-enforcement fall-

back Example nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth attempts 2 nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth throttle 80 nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#show context bridge vlan 20 mac-auth attempts 2 mac-auth throttle 80 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#

Related Commands no Disables MAC authentication for Extended VLAN and Tunneled traffic on this bridge VLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 52 PROFILES 7.1.10.2.12 l2-tunnel-forward-additional-packet-types bridge-vlan-mode commands Enables forwarding of Wireless Network Management Protocol (WNMP) packets across L2 tunnels. Under normal circumstances, if L2 tunnel broadcast optimization is enabled. WNMP packets are not forwarded across the L2 tunnels. Use this option to enable the forwarding of only WNMP packets. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2-tunnel-forward-additional-packet-types wnmp Parameters None Example nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#l2-tunnel-forward-

additional-packet-types wnmp nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#show context bridge vlan 1 l2-tunnel-broadcast-optimization l2-tunnel-forward-additional-packet-types wnmp ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#

Related Commands no Disables WNMP packet forwarding across L2 tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 53 PROFILES 7.1.10.2.13 no bridge-vlan-mode commands Negates a command or reverts settings to their default. The no command, when used in the bridge VLAN mode, negates the VLAN bridge settings or reverts them to their default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [bridging-mode|captive-portal|captive-portal-enforcement|description|edge-

vlan|firewall|http-analyze|ip|ipv6|l2-tunnel-broadcast-optimization|l2-tunnel-

forward-additional-packet-types|mac-auth|stateful-packet-inspection-l2|tunnel|

tunnel-over-level2|use]

no [bridging-mode|captive-portal-enforcement|description|edge-vlan|firewall|

l2-tunnel-broadcast-optimization|l2-tunnel-forward-additional-packet-types|

mac-auth|stateful-packet-inspection-l2|tunnel-over-level2]

no captive-portal [ip-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-

address <IPv4|IPv6>}

no http-analyze {filter [images|post|query-string]}

no ip [arp|dhcp|igmp]

no ip [arp|dhcp] trust no ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-

count|mrouter|querier}

no ip igmp snooping {forward-unknown-multicast}

no ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}

no ip igmp snooping {querier} {address|max-response-time|timer expiry|version}

no ipv6 [dhcpv6|firewall|mld|nd]

no ipv6 dhcpv6 trust no ipv6 firewall no ipv6 mld snooping {forward-unknown-multicast}

no ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}

no ipv6 mld snooping {querier} {max-response-time|timer expiry|version}

no ipv6 nd raguard no tunnel [rate-limit level2|unknown-unicast]

no use [application-policy|captive-portal|ip-access-list|ipv6-access-list|

mac-access-list|url-list] tunnel out Parameters no <PARAMETERS>

no <PARAMETERS>

Resets or reverts this bridge VLANs settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 54 Example PROFILES The following example displays bridge VLAN 20 settings before the no commands are executed:

nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#

nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ip igmp snooping nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ipv6 mld snooping The following example displays bridge VLAN 20 settings after the no commands are executed:

nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20 no ip igmp snooping ip igmp snooping querier no ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context bridge vlan 20 mac-auth attempts 2 mac-auth throttle 80 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#

nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#no mac-auth nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context bridge vlan 20 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 55 PROFILES 7.1.10.2.14 stateful-packet-inspection-l2 bridge-vlan-mode commands Enables a stateful packet inspection (SPI) at the layer 2 firewall. SPI, also referred to as dynamic packet filtering, is a security feature that tracks the operating state and characteristics of network connections traversing it. It distinguishes legitimate packets for different types of connections, and only allows packets matching a known active connection to pass. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax stateful-packet-inspection-l2 Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#stateful-packet-ins inspection-l2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables stateful packet inspection at the layer 2 firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 56 PROFILES 7.1.10.2.15 tunnel bridge-vlan-mode commands Enables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunnel [rate-limit|unknown-unicast]

tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold

[background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}

tunnel unknown-unicast Parameters tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-

threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}

tunnel rate-limit level2 rate

<50-1000000>

max-burst-size

<2-1024>

Configures a rate-limit parameters (max-burst-size and rate) for tunneled VLAN traffic over level 2 MiNT links rate Optional. Configures the data rate, in kilobits per second, for the incoming and outgoing extended VLAN traffic tunneled over MiNT level 2 links

<50-1000000> Specify a value from 50 - 1000000 Kbps. The default is 5000 Kbps. max-burst-size Optional. Configures the maximum burst size

<2-1024> Specify the maximum burst size from 2 - 1024 kbytes. The de-

fault is 320 kbytes. After specifying the max-burst-size, optionally specify the red-threshold value for the different traffic types. The red-threshold is configured as a % of the specified max-

burst-size. red-threshold Optional. Configures the random early detection (red) threshold for the different traffic types background Configures the red-threshold for low priority traffic from 0 - 100. The default is 50% of the specified max-burst-size. best-effort Configures the red-threshold for normal priority traffic from 0 - 100. The default is 50% of the specified max-burst-size. video Configures the red-threshold for video traffic from 0 - 100. The default is 25% of the specified max-burst-size. voice Configures the red-threshold for voice traffic from 0 - 100. The default is 0%

of the specified max-burst-size. tunnel unknown-unicast tunnel unknown-unicast Enables tunneling of unicast packets destined for unknown MAC addresses Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 57 PROFILES Example rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#no tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#show context bridge vlan 1 ip igmp snooping ip igmp snooping querier no tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#

Related Commands no Disables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 58 PROFILES 7.1.10.2.16 tunnel-over-level2 bridge-vlan-mode commands Enables extended VLAN (tunneled VLAN) traffic over level 2 MiNT links. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunnel-over-level2 Parameters None Example rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#tunnel-over-level2 rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN l2-tunnel-broadcast-optimization bridging-mode isolated-tunnel tunnel-over-level2 ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#

Related Commands no Disables extended VLAN traffic over level 2 MiNT links Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 59 PROFILES 7.1.10.2.17 use bridge-vlan-mode commands Associates a captive-portal, access control list (IPv4, IPv6, or MAC), and/or a URL filter with this bridge VLAN Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [application-policy|captive-portal|ip-access-list|ipv6-access-list|mac-

access-list|url-filter]

use application-policy <APP-POLICY-NAME>

use captive-portal <CAPTIVE-PORTAL-NAME>

use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/ipv6/MAC-

ACCESS-LIST-NAME>

use url-filter <URL-FILTER-NAME>

Parameters use application-policy <APP-POLICY-NAME>

use application-policy

<APP-POLICY-NAME>

Enforces application detection on this VLAN bridge

<APP-POLICY-NAME> Specify the application policy name (should be existing and configured). For more information on application definitions and application policies, see application and application-policy. use captive-portal <CAPTIVE-PORTAL-NAME>

use captive-portal Applies an existing captive portal configuration to restrict access to the bridge VLAN configuration A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional terms and agreement, welcome, fail, and no-service pages provide the administrator with a number of options on captive portal screen flow and user appearance.

<CAPTIVE-PORTAL-NAME> Specify the captive portal name. use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/IPv6/MAC-

ACCESS-LIST-NAME>

use ip-access-list ipv6-access-list mac-access-list Sets this VLAN bridge policy to use an IPv4/IPv6 access list or a MAC access list Associates a pre-configured IPv4 access list with this VLAN-bridge interface Associates a pre-configured IPv6 access list with this VLAN-bridge interface Associates a pre-configured MAC access list with this VLAN- bridge interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 60 PROFILES tunnel out

<IP/IPv6/MAC-ACCESS-

LIST-NAME>

The following keywords are common to the IPv4/IPv6 access list and MAC access list parameters:

tunnel Applies IPv4/IPv6 access list or MAC access list to all packets going into the tunnel out Applies IPv4/IPv6 access list or MAC access list to all outgoing packets

<IP/IPv6/MAC-ACCESS-LIST-NAME> Specify the IP/IPv6 access list or MAC access list name. use url-filter <URL-FILTER-NAME>

use url-filter

<URL-FILTER-NAME>

Sets this VLAN bridge to use a URL filter Specify the URL filter name. It should be existing and configured. This option enforces URL filtering on the VLAN bridge. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#use mac-access-list tunnel out PERMIT-ARP-AND-IPv4 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 ip igmp snooping ip igmp snooping querier use mac-access-list tunnel out PERMIT-ARP-AND-IPv4 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#

Related Commands no Disables or reverts VLAN Ethernet bridge settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 61 PROFILES 7.1.11 captive-portal Profile Config Commands Configures captive portal advanced Web page uploads on this profile A captive portal is a means of providing guests temporary and restrictive access to the controller managed wireless network. A captive portal provides secure authenticated controller access by capturing and re-

directing a wireless users Web browser session to a captive portal login page, where the user must enter valid credentials. Once the user is authenticated and logged into the controller managed network, additional agreement, welcome, and fail pages provide the administrator with options to control the captive portals screen flow and user appearance. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal page-upload count <1-20>

Parameters captive-portal page-upload count <1-20>

page-upload count <1-20>

Enables captive portal advanced Web page upload Sets the maximum number of APs that can be uploaded concurrently

<1-20> Set a value from 1 - 20. The default is 10. Example nx9500-6C8809(config-profile-testNX9500)#captive-portal page-upload count 15 nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include captive-portal captive-portal page-upload count 15 no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement service captive-portal-server connections-per-ip 3 nx9500-6C8809(config-profile-testNX9500)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 62 PROFILES 7.1.12 cdp Profile Config Commands Enables Cisco Discovery Protocol (CDP), a proprietary data link layer network protocol implemented in Cisco networking equipment and used to share network information amongst different vendor wireless devices Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cdp [holdtime|run|timer]

cdp [holdtime <10-1800>|run|timer <5-900>]

Parameters cdp [holdtime <10-1800>|run|timer <5-900>]

holdtime <10-1800>

run timer <5-900>

Specifies the holdtime after which transmitted packets are discarded

<10-1800> Specify a value from 10 - 1800 seconds. The default is 180 seconds. Enables CDP sniffing and transmit globally. This feature is enabled by default. Specifies the interval, in seconds, between successive CDP packet transmission

<5-900> Specify a value from 5 - 900 seconds. The default is 60 seconds. Example rfs6000-37FABE(config profile-default-rfs6000)#cdp run rfs6000-37FABE(config profile-default-rfs6000)#cdp holdtime 1000 rfs7000-37FABE(config profile-default-rfs6000)#cdp timer 900 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 no edge-vlan l2-tunnel-broadcast-optimization

............................................................. qos trust 802.1p interface pppoe1 use firewall-policy default cdp holdtime 1000 cdp timer 900 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Disables CDP on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 63 PROFILES 7.1.13 cluster Profile Config Commands Sets the cluster configuration Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster [force-configured-state|force-configured-state-delay|handle-stp|master-

priority|member|mode|name|radius-counter-db-sync-time]

cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp|

master-priority <1-255>]

cluster member [ip|vlan]

cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]

cluster mode [active|standby]

cluster name <CLUSTER-NAME>

cluster radius-counter-db-sync-time <1-1440>

Parameters cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-

stp|master-priority <1-255>]

force-configured-state Forces adopted APs to auto revert when a failed wireless controller or service platform (in a cluster) restarts When an active controller (wireless controller, or service platform) fails, a standby controller in the cluster takes over APs adopted by the failed active controller. If the failed active controller were to restart, it starts a timer based on the force-

configured-state-delay interval specified. At the expiration of this interval, the standby controller releases all adopted APs and goes back to a monitoring mode. If the active controller fails during this interval, the force-configured-state-delay timer is stopped. The timer restarts as soon as the active controller comes back up. This feature is disabled by default. Forces cluster transition to the configured state after a specified interval

<3-1800> Specify a delay from 3 - 1800 minutes. The default is 5 minutes. This is the interval a standby controller waits before releasing adopted APs when a failed primary controller becomes active again. Enables Spanning Tree Protocol (STP) convergence handling. This feature is disabled by default. In layer 2 networks, this protocol is enabled to prevent network looping. If enabled, the network forwards data only after STP convergence. Enabling STP convergence delays the redundancy state machine execution until the STP convergence is completed (the standard protocol value for STP convergence is 50 seconds). Delaying the state machine is important to load balance APs at startup. force-configured-

state-delay <3-1800>

handle-stp Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 64 PROFILES master-priority

<1-255>

Configures cluster master priority

<1-255> Specifies cluster master election priority. Assign a value from 1 - 255. Higher the value higher is the precedence. The default is 128. In a cluster environment one device from the cluster is elected as the cluster master. A devices master priority value decides the devices priority to become cluster master. cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]

member ip <IP> level [1|2]

Adds a member to the cluster. It also configures the cluster VLAN where members can be reached. Adds IP address of the new cluster member

<IP> Specify the IP address. level Optional. Configures routing level for the new member. Select one of the fol-

lowing routing levels:

1 Level 1, local routing 2 Level 2, In-site routing vlan <1-4094>

Configures the cluster VLAN where members can be reached

<1-4094> Specify the VLAN ID from 1- 4094. cluster mode [active|standby]

mode [active|standby] Configures cluster members mode as active or standby active Configures cluster mode as active. This is the default setting. standby Configures cluster mode as standby A member can be in either an Active or Standby mode. All active member controllers can adopt access points. Standby members only adopt access points when an active member has failed or sees an access point not adopted by a controller. cluster name <CLUSTER-NAME>

name

<CLUSTER-NAME>

Configures the cluster name

<CLUSTER-NAME> Specify the cluster name. cluster radius-counter-db-sync-time <1-1440>

radius-counter-db-

sync-time <1-1440>

Configures the interval, in minutes, at which the RADIUS counter database is synchronized with the dedicated NTP server resource.

<1-1440> Specify a value from 1 - 1440 minutes. The default is 5 minutes. Use the show > cluster > configuration command to view RADIUS counter DB sync time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 65 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#cluster name cluster1 rfs6000-37FABE(config-profile-default-rfs6000)#cluster member ip 172.16.10.3 rfs6000-37FABE(config-profile-default-rfs6000)#cluster mode active rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 description Vlan1

....................................................................... cluster name cluster1 cluster member ip 172.16.10.3 cluster member vlan 1 rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Removes cluster member Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 66 PROFILES 7.1.14 configuration-persistence Profile Config Commands Enables configuration persistence across reloads. This option is enabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax configuration-persistence {auto|secure}

Parameters configuration-persistence {auto|secure}

auto secure Example Optional. Assigns default value based on the device type Optional. Ensures parts of a file that contain security information are not written during a reload rfs6000-37FABE(config-profile-default-rfs6000)#configuration-persistence secure rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 no edge-vlan ip igmp snooping no ip igmp snooping unknown-multicast-fwd no ip igmp snooping mrouter learn pim-dvmrp autoinstall configuration autoinstall firmware

.......................................................................... cluster name cluster1 cluster member ip 1.2.3.4 level 2 cluster member ip 172.16.10.3 cluster member vlan 4094 cluster handle-stp cluster force-configured-state holdtime 1000 timer 900 configuration-persistence secure rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Disables automatic write up of startup configuration file Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 67 PROFILES 7.1.15 controller Profile Config Commands Configures the WiNG controller (wireless controller or service platform) adoption settings Adoption is the process a controller or service platform uses to discover available access points and/or peer controllers/service platforms, establish an association and provision the adopted device. Adoption settings are configurable and supported within a profile and applied to all devices supported by the profile. Use this command to add a controller to a pool and group. This command also enables and disables adoption on controllers, and specifies the device types that can be adopted by a controller. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller [adopted-devices|adoption|group|hello-interval|vlan|host]

controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|

external-devices-monitoring-only]hel controller adoption controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]

controller hello-interval <1-120> adjacency-hold-time <2-600>

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure|level|pool|remote-vpn-

client}

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]}

{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}

controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}

Parameters controller adopted-devices [aps {controllers}|controllers {aps}|external-

devices|external-devices-monitoring-only]

controller adopted-devices aps {controllers}

Configures the WLANs controller adoption settings Configures the types of device (AP/controller) this controller can adopt Enables the adoption of network access points by this controller. This option is enabled by default. controllers Optional. Enables the adoption of peer controllers by this controller All adopted devices (referred to as adoptee) receive complete configuration from the adopting controller (referred to as adopter). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 68 PROFILES controllers {aps}

external-devices external-devices-

monitoring-only Enables the adoption of peer controllers by this controllers aps Optional. Enables the adoption of network access points by this controller A controller cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted controller (adoptee) cannot be configured to adopt another controller. Use the no > controller > adopted-devices command to remove this setting. Enables adoption of external devices by this controller. This option is disabled by default. When enabled, a WiNG controller can adopt and manage T5 controllers and EX3500 switches (using the IPX operating system) within a WiNG managed device subnet. This setting is disabled by default. To disable T5 or EX3500 adoption, use the no > controller > external-devices command. This feature is supported only on RFS4000, NX9500, NX9510, NX9600, and VX9000 platforms. Enables only monitoring of external devices by this controller or service platform. This option is disabled by default. controller adoption controller adoption Enables the adoption of the logged device (wireless controller or service platform) by other controllers. This option is disabled by default. Use the no > controller > adoption command to disable adoption. controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]

controller group

<CONTROLLER-

GROUP-NAME>

vlan <1-4094>

Configures the WLANs controller adoption settings Configures the wireless controller or service platform group

<CONTROLLER-GROUP-NAME> Specify the wireless controller or service platform group name. Configures the wireless controller or service platform VLAN

<1-4094> Specify the VLAN ID from 1 - 4094. controller hello-interval <1-120> adjacency-hold-time <2-600>

controller hello-interval <1-120>

adjacency-hold-time

<2-600>

Configures the WLANs controller settings Configures the hello-interval in seconds. This is the interval between consecutive hello packets exchanged between AP and wireless controller or service platform.

<1-120> Specify a value from 1 - 120 seconds. Configures the adjacency hold time in seconds. This is the time since the last received hello packet, after which the adjacency between wireless controller or service platform and AP is lost, and the link is re-established.

<2-600> Specify a value from 2 - 600 seconds. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}

controller Configures the WLANs controller adoption settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 69 PROFILES host [<IPv4>|<IPv6>|

<HOSTNAME>]

ipsec-secure

{gw [<IP>|

<HOSTNAME>]}

Configures wireless controller or service platforms IPv4/IPv6 address or hostname

<IPv4> Configures wireless controller or service platforms IPv4 address

<IPv6> Configures wireless controller or service platforms IPv6 address

<HOSTNAME> Configures wireless controller or service platforms hostname Optional. Enables Internet Protocol Security (IPSec) peer authentication on the connection (link) between the adopting devices. This option is disabled by default. gw Optional. Specifies a IPSec gateway other than the wireless controller or service platform

<IP> Use this option to specify the IPSec gateways IP address.

<HOSTNAME> Use this option to specify the IPSec gateways hostname. If the gateways IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]}

{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}

controller host [<IPv4>|<IPv6>|

<HOSTNAME>]

level [1|2]

pool <1-2> level [1|2]

{ipsec-secure

{gw [<IP>|

<HOSTNAME>]}|

remote-vpn-client}

Configures the WLANs controller adoption settings Configures wireless controller or service platforms IPv4/IPv6 address or name

<IPv4> Configures wireless controller or service platforms IPv4 address

<IPv6> Configures wireless controller or service platforms IPv6 address

<HOSTNAME> Configures wireless controller or service platforms name The following keywords are common to the IP, IPv6, and hostname parameters:

Optional. After providing the wireless controller or service platforms address, optionally select one of the following routing levels:

1 Optional. Level 1, local routing 2 Optional. Level 2, inter-site routing Note: After specifying the routing level, you can, optionally enable IPSec Secure authentication and remote VPN client. The following keywords are common to the IP, IPv6, and hostname parameters:

Optional. Sets the wireless controller or service platforms pool

<1-2> Select either 1 or 2 as the pool. The default is 1. After selecting the pool, optionally select one of the following two routing levels:

1 Optional. Level 1, local routing 2 Optional. Level 2, inter-site routing After specifying the routing level and or devices pool, you can optionally specify the following:

ipsec-secure Optional. Enables IPSec peer authentication on the connection (link) between the adopting devices. This option is disabled by default. gw Optional. Specifies a IPSec gateway other than the wireless controller or service platform

<IP> Use this option to specify the IPSec gateways IP address.

<HOSTNAME> Use this option to specify the IPSec gateways hostname. Note: If the gateways IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway. Contd.... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 70 PROFILES remote-vpn-client Forces MiNT link creation protocol (MLCP) to use remote VPN connection on the controller The controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none. When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}

controller host [<IPv4>|<IPv6>|

<HOSTNAME>]

remote-vpn-client Configures the WLANs controller settings Configures wireless controller or service platforms IPv4/IPv6 address or hostname

<IP> Configures wireless controller or service platforms IPv4 address

<IPv6> Configures wireless controller or service platforms IPv6 address

<HOSTNAME> Configures wireless controller or service platforms name Forces MLCP to use remote VPN connection on the controller The controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none. When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP. Example rfs6000-37FABE(config-profile-default-rfs6000)controller group test rfs6000-37FABE(config-profile-default-rfs6000)#controller host 1.2.3.4 pool 2 rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac

.......................................................... interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p use firewall-policy default controller host 1.2.3.4 pool 2 controller group test service pm sys-restart

--More--

rfs6000-37FABE(config-profile-default-rfs6000)#

rfs4000-229D58(config-profile-testRFS4000)#controller adopted-devices aps controllers rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 autoinstall configuration

.................................................................... logging on service pm sys-restart router ospf controller adopted-devices aps controllers rfs4000-229D58(config-profile-testRFS4000)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 71 PROFILES 7.1.16 critical-resource Profile Config Commands Enables monitoring of resources critical to the health of the service platform, wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses. When enabled, the system monitors these devices regularly and logs their status. Use this command to create a critical resource monitoring (CRM) policy. A critical resource can be a gateway, AAA server, WAN interface, any hardware, or a service on which the stability of the network depends. Monitoring these resources is therefore essential. When enabled, this feature pings critical resources regularly to ascertain their status. If there is a connectivity issue, an event is generated stating a critical resource is unavailable. By default, there is no enabled critical resource policy and one needs to be created and implemented. Critical resources can be monitored directly through the interfaces on which they are discovered. For example, a critical resource on the same subnet as an AP8132 access point can be monitored by its IP address. However, a critical resource located on a VLAN must continue to be monitored on that VLAN. Critical resource monitoring can be enabled on service platforms, wireless controllers, and access points through their respective device profiles. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax critical-resource [<CR-NAME>|monitor|retry-count]

critical-resource <CR-NAME> [monitor|monitor-using-flows]

critical-resource <CR-NAME> monitor [direct|via]

critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-

adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>]{<IP/

HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}

critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-

NAME>|pppoe1|vlan|wwan1]

critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-

NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|

sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>]

{<IP/HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}

critical-resource <CR-NAME> monitor-using-flows [all|any]

[criteria|dhcp|dns|sync-adoptees]

critical-resource <CR-NAME> monitor-using-flows [all|any] criteria [all|cluster-

master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|

dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-

ALIAS-NAME>}

critical-resource <CR-NAME> monitor-using-flows [all|any] dhcp vlan <1-4094> {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 72 PROFILES critical-resource <CR-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-NAME>

{dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

critical-resource <CR-NAME> monitor-using-flows [all|any] sync-adoptees criteria

[all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-

NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|

<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

critical-resource monitor interval <5-86400>

critical-resource retry-count <0-10>

Parameters critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-

adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/

HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}

<CR-NAME>

monitor direct [all|any]

[<IP/HOST-ALIAS-

NAME>|

sync-adoptees]

arp-only vlan [<1-4094>|<VLAN-

ALIAS-NAME>]

{<IP/HOST-ALIAS-

NAME>|

port [<LAYER2-

IFNAME>|ge|

port-channel]}

Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring Monitors critical resources using the default routing engine all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)

<IP/HOST-ALIAS-NAME> Configures the IP address of the critical resource being monitored (for example, the DHCP or DNS server). Specify the IP address in the A.B.C.D format. You can use a host-alias to identify the critical resource. If us-

ing a host-alias, ensure that the host-alias is existing and configured. sync-adoptees Syncs adopted access points with the controller. In the stand-

alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-

adoptees option in order to sync the AP with the controller regarding the latest CRM status. The following keywords are common to the all and any parameters:

arp-only vlan <1-4094> Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Specifies the VLAN ID on which to send the probing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.

<IP/HOST-ALIAS-NAME> Optional. Limits ARP to a device specified by the

<IP> parameter. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. port [<LAYER2-IF-NAME>|ge|port-channel] Optional. Limits ARP to a specified port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 73 PROFILES critical-resource <CRM-POLICY-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-

INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|

sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>]

{<IP>|port [<LAYER2-IFNAME>|ge|port-channel]}}

<CR-NAME>

monitor via Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring Specifies the interface or next-hop via which the ICMP pings should be sent. Configures the interface or next-hop via which ICMP pings are sent. This does not apply to IP addresses configured for arp-only. For interfaces which learn the default-gateway dynamically (like DHCP clients and PPP interfaces), use an interface name for VIA, or use an IP address.

<IP/HOST-ALIAS-NAME> Specify the IP address of the next-hop via which the critical resource(s) are monitored. Configures up to four IP addresses for monitoring. All the four IP addresses constitute critical resources. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. Specify the layer 3 Interface name (router interface)

<LAYER3-INTERFACE-

NAME>

pppoe1 vlan [<1-4094>|<VLAN-

ALIAS-NAME>]

wwan1

[all|any]

[<IP/HOST-ALIAS-

NAME>|

sync-adoptees]

arp-only vlan [<1-4094>|<VLAN-

ALIAS-NAME>]

{<IP/HOST-ALIAS-

NAME>|

port [<LAYER2-

IFNAME>|ge|

port-channel]}

Specifies PPP over Ethernet interface Specifies the wireless controller or service platforms VLAN interface. Specify VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Specifies Wireless WAN interface Monitors critical resources using the default routing engine all Monitors all resources that are going down (generates an event when all specified critical resource IP addresses are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource IP address is unreachable)

<IP/HOST-ALIAS-NAME> Configures the IP address of the critical resource being monitored (for example, the DHCP or DNS server). Specify the IP address in the A.B.C.D format. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. sync-adoptees Syncs adopted access points with the controller. In the stand-

alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-

adoptees option in order to sync the AP with the controller regarding the latest CRM status. The following keywords are common to the all and any parameters:

arp-only vlan <1-4094> Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known. Contd.... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 74 PROFILES vlan [<1-4094>|<VLAN-ALIAS-NAME>] Specifies the VLAN ID to send the probing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-

alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.

<IPHOST-ALIAS-NAME> Optional. Limits ARP to a device specified by the

<IP> parameter. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. port [<LAYER2-IF-NAME>|ge|port-channel] Optional. Limits ARP to a specified port critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] criteria

[all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|

dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-

ALIAS-NAME>}

<CR-NAME>

monitor-using-flows

[all|any]

Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS

(DHCP discover, DHCP offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) criteria

[all|cluster-master|

rf-domain-manager]

Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master. all Configures all devices within a group (cluster or RF Domain) as the monitoring dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>]

dns <IP/HOST-ALIAS-

NAME>

resource cluster-master Configures the cluster master as the monitoring resource rf-domain-manager Configures the RF Domain manager as the monitoring resource The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:

dhcp Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:

dns Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-

ical resource. Specify the IPv4 address or host alias name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 75 PROFILES

{dhcp [vlan <1-4094>|

<VLAN-ALIAS-NAME>]|

dns <IP/HOST-ALIAS-

NAME>}

The dhcp and dns parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names). dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-

ical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dhcp vlan [<1-

4094>|<VLAN-ALIAS-NAME>] {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-

ALIAS-NAME>}

<CR-NAME>

monitor-using-flows

[all|any]

dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>]

{dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>]|

dns <IP/HOST-ALIAS-

NAME>}

Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS

(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):

dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 76 PROFILES dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-

ical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dns <IP/HOST-

ALIAS-NAME> {dhcp vlan [<1-4094><VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}

<CR-NAME>

monitor-using-flows

[all|any]

dns <IP/HOST-ALIAS-

NAME>

{dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>|

dns <IP/HOST-ALIAS-

NAME>}

Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS

(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):

dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] sync-adoptees criteria [all|cluster-master|rf-domain-manager] (dhcp vlan [<1-4094>|<VLAN-ALIAS-

NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/

HOST-ALIAS-NAME>}

<CR-NAME>

Identifies the critical resource to be monitored. Provide the name of the critical resource. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 77 PROFILES monitor-using-flows

[all|any]

syn-adoptees criteria

[all|cluster-master|

rf-domain-manager]

dhcp vlan [<1-4094>|

<VLAN-ALIAS-NAME>]

dns <IP/HOST-ALIAS-

NAME>

{dhcp vlan {<1-4094>|

<VLAN-ALIAS-NAME>]|

dns <IP/HOST-ALIAS-

NAME>}

Enables critical resource(s) monitoring using message flows for DHCP or DNS

(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Syncs adopted access points with the controller. In the stand-alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-adoptees option in order to sync the AP with the controller regarding the latest CRM status. Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master. all Configures all devices within a group (cluster or RF Domain) as the monitoring resource cluster-master Configures the cluster master as the monitoring resource rf-domain-manager Configures the RF Domain manager as the monitoring resource The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:

dhcp Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:

dns Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). The dhcp and dns parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names). dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 78 PROFILES dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.

<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource monitor interval <5-86400>

monitor interval

<5-86400>

Configures the critical resource monitoring frequency. This is the interval between two successive pings to the critical resource being monitored.

<5-86400> Specifies the frequency in seconds. Specify the time from 5 - 86400 seconds. The default is 30 seconds. critical-resource retry-count <0-10>

retry-count <0-10>

Configures the maximum number of failed attempts allowed to connect to a critical resource, using DHCP/DNS message flows, before marking it as down

<0-10> Specifies the maximum number of retries from 0 - 10. The default value is 3 attempts. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource monitor interval 40 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context rfs6000 B4-C7-99-6D-B5-D4 use profile default-rfs6000 use rf-domain default hostname rfs6000-6DB5D4 license AP 6c781f42a3638757d8849c38268b4ea48e483e2f986ae392ebbcdd6a8f6f309443e93ad3123c3d76 mint mlcp ip ip default-gateway 192.168.13.2 interface vlan1 ip address 192.168.13.16/24 ip dhcp client request options all cluster mode standby cluster member ip 192.168.13.16 level 1 controller host 192.168.13.13 critical-resource monitor interval 40 critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 79 PROFILES 7.1.17 crypto Profile Config Commands Use the crypto command to define a system-level local ID for Internet Security Association and Key Management Protocol (ISAKMP) negotiation and to enter the ISAKMP policy, ISAKMP client, or ISAKMP peer command set. The following table summarizes crypto configuration mode commands:

Command crypto crypto-auto-

ipsec-tunnel commands crypto-ikev1/

ikev2-policy commands crypto-ikev1/

ikev2-peer commands crypto-map-

config-

commands crypto-remote-

vpn-client commands Description Invokes commands used to configure ISAKMP policy, ISAKMP client, and ISAKMP peer Creates an auto IPSec VPN tunnel and enters its configuration mode Reference page 7-81 page 7-87 Creates a crypto IKEv1/IKEv2 policy and enters its configuration mode page 7-94 Creates a IKEv1/IKEv2 peer and enters its configuration mode page 7-103 Creates a crypto map and enters its configuration mode page 7-111 Creates a remote VPN client and enters its configuration mode page 7-136 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 80 PROFILES 7.1.17.1 crypto crypto Use the crypto command to define a system-level local ID for ISAKMP negotiation and enter the ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode. A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list). When a non-secured packet arrives on an interface, the crypto map associated with that interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded. When a packet is transmitted on an interface, the crypto map associated with that interface is processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable Security Association (SA) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with the peer. If no SA exists (and the crypto map entry is respond only), the packet is discarded. When a secured packet arrives on an interface, its Security Parameter Index (SPI) is used to look up a SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|

load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]

crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]

crypto ike-version [ikev1-only|ikev2-only]

crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-

3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]

crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|

dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-

POLICY-NAME>|remote-vpn]

crypto ipsec [df-bit|security-association|transform-set]

crypto ipsec df-bit [clear|copy|set]

crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds

<120-86400>]

crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|

esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-

sha256-hmac]

crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]

crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>

crypto plain-text-deny-acl-scope [global|interface]

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 81 PROFILES crypto remote-vpn-client Parameters crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]

auto-ipsec-secure enable-ike-uniqueids load-management Configures the Auto IPSec Secure parameter settings. For Auto IPSec tunnel configuration commands, see crypto-auto-ipsec-tunnel commands. Enables Internet Key Exchange (IKE) unique ID check For more information on IKE unique IDs, see remotegw. Configures load management for platforms using software cryptography crypto ike-version [ikev1-only|ikev2-only]

ike-version

[ikev1-only|ikev2-only]

Selects and starts the IKE daemon ikev1-only Enables support for IKEv1 tunnels only ikev2-only Enables support for IKEv2 tunnels only crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-

3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]

ikev1 dpd-keepalive

<10-3600>

dpd-retries <1-1000>

nat-keepalive

<10-3600>

peer <IKEV1-PEER>

policy

<IKEV1-POLICY-NAME>

remote-vpn Configures the IKE version 1 parameters Sets the global Dead Peer Detection (DPD) keep alive interval from 10 - 3600 seconds. This is the interval between successive IKE keep alive messages sent to detect if a peer is dead or alive. The default is 30 seconds. Sets the global DPD retries count from 1 - 1000. This is the number of keep alive messages sent to a peer before the tunnel connection is declared as dead. The default is 5. Sets the global NAT keep alive interval from 10 - 3600 seconds. This is the interval between successive NAT keep alive messages sent to detect if a peer is dead or alive. The default is 20 seconds. Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer configuration commands, see crypto-ikev1/ikev2-peer commands. Configures an ISKAMP policy. Specify the name of the policy. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-policy commands. Specifies the IKEV1 remote-VPN server configuration (responder only) crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-

retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-

NAME>|remote-vpn]

ikev2 cookie-challenge-

threshold <1-100>

dpd-keepalive

<10-3600>

dpd-retries <1-100>

nat-keepalive

<10-3600>

Configures the IKE version 2 parameters Starts the cookie challenge mechanism after the number of half open IKE SAs exceeds the specified limit. Specify the limit from 1 - 100. The default is 5. Sets the global DPD keepalive interval from 10 - 3600 seconds. The default is 30 seconds. Sets the global DPD retries count from 1 - 100. The default is 5. Sets the global NAT keepalive interval from 10 - 3600 seconds. The default is 20 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 82 PROFILES peer <IKEV2-PEER>

policy

<IKEV2-POLICY-NAME>

remote-vpn Specify the name/Identifier for the IKEv2 peer Configures an ISKAMP policy. Specify the policy name. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. Specifies an IKEv2 remote-VPN server configuration (responder only) crypto ipsec df-bit [clear|copy|set]

ipsec df-bit [clear|copy|set]

Configures the IPSec policy parameters Configures Dont-Fragment (DF) bit handling for encapsulating header. The options are:

clear Clears the DF bit in the outer header and ignores in the inner header copy Copies the DF bit from the inner header to the outer header. This is the default setting. set Sets the DF bit in the outer header crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds

<120-86400>]

ipsec security-association lifetime

[kilobyte |seconds]

Configures the IPSec policy parameters Configures the IPSec SAs parameters Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure. kilobytes Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB)

<500-2147483646> Specify a value from 500 - 2147483646 KB. The default is 4608000 KB. seconds Specifies a time-based key duration (minimum is 120 seconds and maximum is 86400 seconds)

<120-86400> Specify a value from 120 - 86400 seconds. The default is 3600 seconds. The security association lifetime can be overridden under crypto maps. crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|

esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-

sha256-hmac]

ipsec transform-set

<TRANSFORM-SET-

TAG>

esp-3des Configures the IPSec policy parameters Defines the transform set configuration (authentication and encryption) for securing data. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic.

<TRANSFORM-SET-TAG> Specify the transform set name. After specifying the transform set used by the IPSec transport connection, set the encryption method and the authentication scheme used with the transform set. The encryption methods are: DES, 3DES, AES, AES-192 and AES-256. Note: The authentication schemes available are: esp-md5-hmac and esp-sha-hmac. Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 83 PROFILES esp-aes esp-aes-192 esp-aes-256 esp-des esp-null

[esp-aes-xcbc-mac|

esp-md5-hmac|

esp-sha-hmac|

esp-sha256-hmac]

Configures the ESP transform using Advanced Encryption Standard (AES) cipher. The transform set is assigned to a crypto map using the maps set > transform-set command. Configures the ESP transform using AES cipher (192 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. Configures the ESP transform using AES cipher (256 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. This is the default setting. Configures the ESP transform using Data Encryption Standard (DES) cipher (56 bits). The transform set is assigned to a crypto map using the maps set >

transform-set command. Configures the ESP transform with no encryption The following keywords are common to all of the above listed transform sets. After specifying the transform set type, configure the authentication scheme used to validate identity credentials. The options are:

esp-aes-xcbc-mac Configures ESP transform using AES-XCBC authorization esp-md5-hmac Configures ESP transform using HMAC-MD5 authorization esp-sha-hmac Configures ESP transform using HMAC-SHA authorization. This is the default setting. esp-sha256-hmac Configures ESP transform using HMAC-SHA256 authorization crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]

map

<CRYPTO-MAP-TAG>

<1-1000>

ipsec-isakmp

{dynamic}

ipsec-manual Configures the crypto map, a software configuration entity that selects data flows that require security processing. The crypto map also defines the policy for these data flows.

<CRYPTO-MAP-TAG> Specify a name for the crypto map. The name should not exceed 32 characters. For crypto map configuration commands, see crypto-map-

ipsec-manual-instance. Defines the crypto map entry sequence. Each crypto map uses a list of entries, each entry having a specific sequence number. Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface. Specify a value from 1 - 1000. Configures IPSEC w/ISAKMP. dynamic Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with mode-config or ipsec-l2tp configuration Configures IPSEC w/manual keying. Remote configuration is not allowed for manual crypto map. crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>

pki import Configures certificate parameters. The Public Key Infrastructure (PKI) protocol creates encrypted public keys using digital certificates from certificate authorities. Imports a trustpoint related configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 84 PROFILES crl

<TRUSTPOINT-NAME>

<URL>

<1-168>

Imports a Certificate Revocation List (CRL). Imports a trustpoint including either a private key and server certificate or a certificate authority (CA) certificate or both. A CRL is a list of revoked certificates that are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.

<TRUSTPOINT-NAME> Specify the trustpoint name. Specify the CRL source address in the following format. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4 or IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]>/path/file http://<hostname|IPv4 or IPv6>[:port]/path/file cf:/path/file usb<n>:/path/file Sets command replay duration from 1 - 168 hours. This is the interval (in hours) after which devices using this profile copy a CRL file from an external server and associate it with a trustpoint. crypto plain-text-deny-acl-scope [global|interface]

Configures plain-text-deny-acl-scope parameters plain-text-deny-acl-

scope global interface Applies the plain text deny ACL globally. This is the default setting. Applies the plain text deny ACL to the interface only crypto remote-vpn-client remote-vpn-client Configures remote VPN client settings. For more information, see crypto-remote-

vpn-client commands. Example rfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tpsec-

tag1 esp-aes-256 esp-md5-hmac rfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 10 ipsec-isakmp dynamic rfs6000-37FABE(config-profile-default-rfs6000)#crypto plain-text-deny-acl-scope interface rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier no autoinstall configuration no autoinstall firmware device-upgrade persist-images crypto ikev1 dpd-retries 1 crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac crypto map map1 10 ipsec-isakmp dynamic crypto ikev1 remote-vpn Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 85 PROFILES crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto plain-text-deny-acl-scope interface interface radio1 interface radio2 interface up rfs6000-37FABE(config-profile-default-rfs6000)#

rfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tag1 esp-null esp-md5-hmac rfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#?

Crypto Ipsec Configuration commands:

mode Encapsulation mode (transport/tunnel) no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 86 PROFILES 7.1.17.2 crypto-auto-ipsec-tunnel commands crypto Creates an auto IPSec VPN tunnel and changes the mode to auto-ipsec-secure mode for further configuration Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated access points that are within a range of valid IP addresses. You can define which packets are sent within the tunnel, and how they are protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated access point. Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). The IKE protocol is a key management protocol used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling. rfs7000-37FABE(config-profile-default-rfs7000)#crypto auto-ipsec-secure rfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#?

Crypto Auto IPSEC Tunnel commands:

groupid Local/Remote identity and Authentication credentials for Auto IPSec Secure IKE negotiation ike-lifetime Set lifetime for ISAKMP security association ikev2 IKEv2 configuration commands ip Internet Protocol config commands no Negate a command or set its defaults remotegw Auto IPSec Secure Remote Peer IKE clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#

The following table summarizes the crypto IPSec auto tunnel configuration mode commands:

Command groupid ip ike-lifetime ikev2 remotegw no Description Specifies the identity string used for IKE authentication Enables the controller or service platform to uniquely identify APs and the hosts present in the APs subnet Configures the IKE SAs key lifetime in seconds Enables the forced re-authentication of IKEv2 peer Defines the IKE version used for an auto IPSec tunnel using secure gateways Removes or reverts the crypto auto IPSec tunnel settings Reference page 7-88 page 7-89 page 7-90 page 7-91 page 7-92 page 7-93 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 87 PROFILES 7.1.17.2.1 groupid crypto-auto-ipsec-tunnel commands Specifies the identity string used for IKE authentication Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax groupid <WORD> [psk|rsa]

groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

Parameters groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

<WORD>

psk [0 <WORD>|

2 <WORD>|

<WORD>]

rsa Specify a string not exceeding 64 characters. This is the group identity used for IKE exchange for auto IPSec secure peers. After providing a group ID, specify the authentication method used to authenticate peers on the auto IPSec secure tunnel. The options are: psk and rsa. Configures the pre-shared key (PSK) as the authentication type for secure peer authentication on the auto IPSec secure tunnel 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Specify a string value from 8 - 21 characters. Configures the Rivest-Shamir-Adleman (RSA) key. RSA is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing, as well as encryption. This is the default setting. NOTE: Only one group ID is supported on the controller or service platform. All APs, controllers, and service platform must use the same group ID. Example rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#groupid testgroup@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure groupid testgroup@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 88 PROFILES 7.1.17.2.2 ip crypto-auto-ipsec-tunnel commands Enables the controller to uniquely identify APs and the hosts present in the APs subnet. This allows the controller to correctly identify the destination host and create a dynamic site-to-site VPN tunnel between the host and the private network behind the controller. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip nat crypto Parameters ip nat crypto ip nat crypto Enables unique identification of APs and the hosts present in each APs subnet Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two

(or more) different routers have the same IP address. Further, the same subnet exists behind these APs. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP A is behind router 1. And AP B is behind router 2. Both these APs have the same IP address (192.168.13.8). The subnet behind APs A and B is also the same (100.1.1.0/24). In such a scenario the controller fails to uniquely identify the hosts present in either APs subnet. For more information, see remotegw and crypto. Example rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat crypto rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure remotegw ike-version ikev2 uniqueid ip nat crypto rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 89 PROFILES 7.1.17.2.3 ike-lifetime crypto-auto-ipsec-tunnel commands Configures the IKE SAs key lifetime in seconds The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ike-lifetime <600-86400>

Parameters ike-lifetime <600-86400>

ike-lifetime

<600-86400>

Sets the IKE SAs key lifetime in seconds

<600-86400> Specify a value fro m 600 - 86400 seconds. The default is 8600 seconds. Example rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ike-lifetime 800 rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure ike-lifetime 800 rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 90 PROFILES 7.1.17.2.4 ikev2 crypto-auto-ipsec-tunnel commands Enables the forced IKEv2 peer re-authentication. This option is disabled by default. In most IPSec tunnel configurations, the lifetime of IKE SAs between peers is limited. Once the IKE SA key expires it is renegotiated. In such a scenario, the IKEv2 tunnel peers may or may not re-authenticate themselves. When enabled, IKE tunnel peers have to re-authenticate each time the IKE SA is renegotiated. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ikev2 peer reauth Parameters ikev2 peer reauth ikev2 peer reauth Enables IKEv2 peer re-authentication. When enabled, IKE tunnel peers are forced to re-authenticate each time the IKE key is renegotiated. Example rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ikev2 peer reauth Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 91 PROFILES 7.1.17.2.5 remotegw crypto-auto-ipsec-tunnel commands Defines the IKE version used for auto IPSEC tunnel negotiation with the IPSec remote gateway other than the controller Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}

Parameters remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}

remotegw ike-version ikev1-aggr ikev1-main ikev2 uniqueid Configures the IKE version used for initiating auto IPSec tunnel with secure gateways other than the controller Aggregation mode is used by the auto IPSec tunnel initiator to set up the connection Main mode is used by the auto IPSec tunnel initiator to establish the connection IKEv2 is the preferred method when wireless controller/AP only is used This keyword is common to all of the above parameters. uniqueid Optional. Enables the assigning of a unique ID to APs (using this profile) behind a router by prefixing the MAC address to the group ID Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two

(or more) different routers have the same IP address. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP A is behind router 1. And AP B is behind router 2. Both these APs have the same IP address (192.168.13.8). In such a scenario, the controller fails to establish an Auto IPSec VPN tunnel to either APs, because it is unable to uniquely identify them. After enabling unique ID assignment, enable IKE unique ID check. For more information, see crypto. Example rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#remotegw ike-version ikev2 uniqueid rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure remotegw ike-version ikev2 uniqueid rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 92 PROFILES 7.1.17.2.6 no crypto-auto-ipsec-tunnel commands Removes or resets this auto IPSec tunnel settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [groupid|ike-lifetime|ikev2 peer reauth|ip nat crypto]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this auto IPSec tunnels settings based on the parameters passed Example The following example shows the Auto IPSec VLAN bridge settings before the no command is executed:

rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure groupid testpassword@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#

rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#no groupid The following example shows the Auto IPSec VLAN bridge settings after the no command is executed:

rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 93 PROFILES 7.1.17.3 crypto-ikev1/ikev2-policy commands crypto Defines crypto-IKEv1/IKEv2 commands in detail IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre-configuration. Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands. To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-

POLICY-NAME>

rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 policy ikev1-

testpolicy rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#?

Crypto IKEv1 Policy Configuration commands:

dpd-keepalive Set Dead Peer Detection interval in seconds dpd-retries Set Dead Peer Detection retries count isakmp-proposal Configure ISAKMP Proposals lifetime Set lifetime for ISAKMP security association mode IKEv1 mode (main/aggressive) no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#

rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#?

Crypto IKEv2 Policy Configuration commands:

dpd-keepalive Set Dead Peer Detection interval in seconds isakmp-proposal Configure ISAKMP Proposals lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults sa-per-acl Setup single SA for all rules in the ACL (ONLY APPLICABLE FOR SITE-TO-SITE VPN) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 94 PROFILES NOTE: IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance, etc. The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:

Command dpd-keepalive dpd-retries isakmp-

proposal lifetime mode no Description Sets DPD keep alive packet interval Sets the maximum number of attempts for sending DPD keep alive packets (applicable only to the IKEv1 policy) Configures ISAKMP proposals Specifies how long an IKE SA is valid before it expires Sets the mode of the tunnels (applicable only to the IKEv1 policy) Removes or reverts IKEv1/IKEv2 policy settings Reference page 7-96 page 7-97 page 7-98 page 7-100 page 7-101 page 7-102 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 95 PROFILES 7.1.17.3.1 dpd-keepalive crypto-ikev1/ikev2-policy commands Sets the DPD keep-alive packet interval Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpd-keepalive <10-3600>

Parameters dpd-keepalive <10-3600>

<10-3600>

Specifies the interval, in seconds, between successive DPD keep alive packets.The IKE keep alive message is used to detect a dead peer on the remote end of the IPSec VPN tunnel. Specify the time from 10 - 3600 seconds. The default is 30 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

dpd-keepalive 11 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#show context crypto ikev1 policy testpolicy dpd-keepalive 11 isakmp-proposal default encryption aes-256 group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 96 PROFILES 7.1.17.3.2 dpd-retries crypto-ikev1/ikev2-policy commands Sets the maximum number of times DPD keep-alive packets are sent to a peer. Once this value is exceeded, without a response from the peer, the VPN tunnel connection is declared dead. This option is available only for the IKEv1 policy. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpd-retries <1-100>

Parameters dpd-retries <1-100>

<1-100>

Declares a peer dead after the specified number of retries. Specify a value from 1 - 100. The default is 5. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

dpd-retries 10 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 isakmp-proposal default encryption aes-256 group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 97 PROFILES 7.1.17.3.3 isakmp-proposal crypto-ikev1/ikev2-policy commands Configures ISAKMP proposals and their parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash

[aes-xcbc-mac|md5|sha|sha256]

Parameters isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash

[aes-xcbc-mac|md5|sha|sha256]

<WORD>

encryption

[3des|aes|aes-192|

aes-256]

group [14|2|5]

hash

[maes-xcbc-mac|

md5|sha|sha256]

Assigns the target peer (tunnel destination) a 32 character maximum name to distinguish it from others with a similar configuration. Configures the encryption method used by the tunneled peers to securely inter-

operate 3des Configures triple data encryption standard aes Configures AES (128 bit keys) aes-192 Configures AES (192 bit keys) aes-256 Configures AES (256 bit keys). This is the default setting. Specifies the Diffie-Hellman (DH) group identifier used by VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. 14 Configures DH group 14 2 Configures DH group 2. This is the default setting. 5 Configures DH group 5 Specifies the hash algorithm used to authenticate data transmitted over the IKE SA. The hash algorithm specified here is used by VPN peers to exchange credential information. aes-xcbc-mac Uses AES XCBC Auth hash algorithm. This option is applicable only to the IKEv2 policy configuration context. md5 Uses Message Digest 5 (MD5) hash algorithm sha Uses Secure Hash Authentication (SHA) hash algorithm. This is the default setting. sha256 Uses Secure Hash Standard 2 algorithm Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 98 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

isakmp-proposal testproposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 99 PROFILES 7.1.17.3.4 lifetime crypto-ikev1/ikev2-policy commands Specifies how long an IKE SA (encryption/authentication keys) is valid. The value specified is the validity period of the IKE SA from successful key negotiation to expiration. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lifetime <600-86400>

Parameters lifetime <600-86400>

lifetime <600-86400> Specifies how many seconds an IKE SA lasts before it expires. Set a time stamp from 600 - 86400 seconds.

<600-86400> Specify a value from 600 - 86400 seconds. The default is 86400 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

lifetime 655 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 100 PROFILES 7.1.17.3.5 mode crypto-ikev1/ikev2-policy commands Configures the IPSec mode of operation for the IKEv1 policy. This option is not available for IKEv2 policy. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mode [aggresive|main]

Parameters mode [aggresive|main]

mode [aggresive|main] Sets the mode of the tunnels aggressive Initiates the aggressive mode main Initiates the main mode If configuring the IKEv1 IPSec policy, define the IKE mode as either main or aggressive. In the aggressive mode, 3 messages are exchanged between the IPSec peers to setup the SA. On the other hand, in the main mode, 6 messages are exchanged. The default setting is main. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 101 PROFILES 7.1.17.3.6 no crypto-ikev1/ikev2-policy commands Removes or reverts IKEv1/IKEv2 policy settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dpd-keepalive|dpd-retries|isakmp-proposal <WORD>|lifetime|mode]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this IKEv1/IKEv2 policy settings based on parameters passed Example The following example shows the IKEV1 Policy settings before the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no mode rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-keepalive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-retries The following example shows the IKEV1 Policy settings after the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

show context crypto ikev1 policy testpolicy lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 102 PROFILES 7.1.17.4 crypto-ikev1/ikev2-peer commands crypto Use the (config) instance to configure IKEv1/IKEv2 peer configuration commands. To navigate to the IKEv1/

IKEv2 peer config instance, use the following commands:

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 peer <IKEV1/IKEV2-

PEER-NAME>

rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 peer peer1 rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#?

Crypto IKEV1 Peer Configuration commands:

authentication Configure Authentication credentials ip Configure peer address/fqdn localid Set local identity no Negate a command or set its defaults remoteid Configure remote peer identity use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#

rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev2 peer peer1 rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#?

Crypto IKEV2 Peer Configuration commands:

authentication Configure Authentication credentials ip Configure peer address/fqdn localid Set local identity no Negate a command or set its defaults remoteid Configure remote peer identity use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 103 PROFILES The following table summarizes crypto IPSec IKEv1/IKEv2 peer configuration mode commands:

Command authentication ip localid remoteid use no Description Configures a peers authentication mode and the pre-shared key Configures the peers IP address Configures a peers local identity details Configures a remote peers identity details Associates an IKEv1 policy and IKEv2 policy with the IKEv1 and IKEv2 peer respectively Negates a command or reverts settings to their default. The no command, when used in the ISAKMP policy mode, defaults the ISAKMP protection suite settings. Reference page 7-105 page 7-106 page 7-107 page 7-108 page 7-109 page 7-110 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 104 PROFILES 7.1.17.4.1 authentication crypto-ikev1/ikev2-peer commands Configures IKEv1/IKEv2 peers authentication mode and the pre-shared key Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication [psk|rsa]

authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}

authentication rsa Parameters authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}

psk [0 <WORD>|

2 <WORD>|

<WORD>]

{local|remote}

Configures the authentication mode as pre-shared key (PSK). The PSK is a string, 8 -

12 characters long. It is shared by both ends of the VPN tunnel connection. If using IKEv2, both a local and remote string must be specified for handshake validation at both ends (local and remote) of the VPN connection. 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key

<WORD> Configures the pre-shared key The following keywords are available only in the IKEv2 peer configuration mode:

local Optional. Uses the specified key for local peer authentication only remote Optional. Uses the specified key for remote peer authentication only Note: In case the peer type is not specified, this string is used for authenticating both local and remote peers. rsa Example authentication rsa Configures the authentication mode as Rivest, Shamir, and Adleman (RSA) This is the default setting (for both IKEv1 and IKEv2). RSA is the first known public-key cryptography algorithm designed signing and encryption. If configuring the IKEv2 peer, the rsa option allows you to enable authentication at both ends of the VPN connection (local and remote). rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#authentication rsa rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#authentication psk 0 key@123456 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 authentication psk 0 key@123456 local authentication psk 0 key@123456 remote rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 105 PROFILES 7.1.17.4.2 ip crypto-ikev1/ikev2-peer commands Sets the IP address or Fully Qualified Domain Name (FQDN) of the IPSec VPN peer used in the tunnel setup Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [address <IP>|fqdn <WORD>]

Parameters ip [address <IP>|fqdn <WORD>]

address <IP>

fqdn <WORD>

Specify the peer devices IP address. Specify the peer devices FQDN hostname. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#ip address 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#ip address 192.168.10.6 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 ip address 192.168.10.6 authentication psk 0 test@123456 local authentication psk 0 test@123456 remote rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 106 PROFILES 7.1.17.4.3 localid crypto-ikev1/ikev2-peer commands Sets a IKEv1/IKEv2 peers local identity. This local identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax localid [address|autogen-uniqueid|dn|email|fqdn|string]

localid [address <IP>|autogen-uniqueid <WORD>|dn <WORD>|email <WORD>|fqdn <WORD>|

string <WORD>]

Parameters localid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]

address <IP>

autogen-uniqueid

<WORD>

dn <WORD>

email <WORD>

fqdn <WORD>

string <WORD>

Configures the peers IP address. The IP address is used as local identity. Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The devices unique identity should be existing and configured. For more information on configuring a devices unique identity, see autogen-uniqueid.

<WORD> Provide the string. Configures the peers distinguished name. (for example, "C=us ST=<state>

L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters. Configures the peers e-mail address. The maximum length is 128 characters. Configures the peers FQDN. The maximum length is 128 characters. Configures the peers identity string. The maximum length is 128 characters. This is the default setting. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 107 PROFILES 7.1.17.4.4 remoteid crypto-ikev1/ikev2-peer commands Configures a IKEv1/IKEV2 peers remote identity. This remote identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]

Parameters remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>

address <IP>

dn <WORD>

email <WORD>

fqdn <WORD>

string <WORD>

Configures the remote IKEv1/IKEV2 peers IP address. The IP address is used as the peers remote identity. Configures the remote peers distinguished name. For example, "C=us ST=<state>

L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters. Configures the remote peers e-mail address. The maximum length is 128 characters. Configures a peers FQDN. The maximum length is 128 characters. Configures a peers identity string. The maximum length is 128 characters. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid dn SanJose rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 108 PROFILES 7.1.17.4.5 use crypto-ikev1/ikev2-peer commands Associates IKEv1/IKEv2 policy with the IKEv1/IKEv2 peer respectively Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ikev1-policy <IKEV1-POLICY-NAME>

use ikev2-policy <IKEV2-POLICY-NAME>

Parameters use ikev1-policy <IKEV1-POLICY-NAME>

Specify the IKEv1 policy name. The local IKEv1 policy and the peer IKEv1 policy must have matching group settings for successful negotiations. use ikev1-policy

<IKEV1-POLICY-

NAME>

use ikev2-policy <IKEV2-POLICY-NAME>

Specify the IKEv2 policy name. The local IKEv2 policy and the peer IKEv2 policy must have matching group settings for successful negotiations. use ikev2-policy

<IKEV2-POLICY-

NAME>

Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#use ikev2-policy test-ikev2policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 use ikev2-policy test-ikev2policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 109 PROFILES 7.1.17.4.6 no crypto-ikev1/ikev2-peer commands Removes or reverts IKEv1/IKEv2 peer settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [authentication|ip|localid|remoteid|use <IKEv1/IKEv2-POLICY-NAME>]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts IKEv1/IKEv2 peer settings based on the parameters passed Example The following example shows the Crypto IKEV1 peer1 settings before the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no localid rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no remoteid The following example shows the Crypto IKEV1 peer1 settings after the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#

The following example shows the Crypto IKEV2 peer1 settings before the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 use ikev2-policy test rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

The following example shows the Crypto IKEV2 peer1 settings after the no commands are executed:

rfs6000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#no use ikev2-

policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 110 PROFILES 7.1.17.5 crypto-map-config-commands crypto This section explains crypto map configuration mode commands in detail. A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort the ordered list). IPSec VPN provides a secure tunnel between two networked peers. Administrators can define which packets are sent within the tunnel, and how they're protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). IKE is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration. Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPSec peer, however for remote VPN deployments one crypto map is used for all the remote IPSec peers. Use the (config) instance to enter the crypto map configuration mode. To navigate to the crypto-map configuration instance, use the following commands:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

[ipsec-isakmp {dynamic}|ipsec-manual]

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

[ipsec-isakmp {dynamic}|ipsec-manual]

There are three different configurations defined for each listed crypto map: site-to-site manual (ipsec-

manual), site-to-site-auto tunnel (ipsec-isakmp), and remote VPN client (ipsec-isakmp dynamic). With site-

to-site deployments, an IPSec tunnel is deployed between two gateways, each at the edge of two different remote networks. With remote VPN, an access point located at remote branch defines a tunnel with a security gateway. This facilitates the end points in the branch office to communicate with the destination endpoints (behind the security gateway) in a secure manner. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 111 PROFILES Each crypto map entry is given an index (used to sort the ordered list). rfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 1 ipsec-manual rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#?

Manual Crypto Map Configuration commands:

local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) mode Set the tunnel mode no Negate a command or set its defaults peer Set peer security-association Set security association parameters session-key Set security session key parameters use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

The following table summarizes crypto map configuration mode commands:

Command crypto-map auto-vpn-

tunnel/remote-

vpn-client instance crypto-map-

ipsec-manual-

instance Description Configures an auto site-to-site VPN or remote VPN client Reference page 7-113 Configures a manual site-to-site VPN page 7-127 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 112 PROFILES 7.1.17.5.1 crypto-map auto-vpn-tunnel/remote-vpn-client instance crypto-map-config-commands To navigate to the auto site-to-site VPN tunnel configuration instance, use the following command:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-

isakmp In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

ipsec-isakmp rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 1 ipsec-isakmp rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#?

Site to Site Crypto Map Configuration commands:

ip Internet Protocol config commands local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) no Negate a command or set its defaults peer Add a remote peer pfs Specify Perfect Forward Secrecy security-association Security association parameters transform-set Specify IPSec transform to use use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

To navigate to the remote VPN client configuration instance, use the following command:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-

isakmp {dynamic}

In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

ipsec-isakmp {dynamic}

rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 2 ipsec-isakmp dynamic rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#?

Dynamic Crypto Map Configuration commands:

local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) modeconfig Set the mode config method no Negate a command or set its defaults peer Add a remote peer pfs Specify Perfect Forward Secrecy remote-type Set the remote VPN client type security-association Security association parameters transform-set Specify IPSec transform to use use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 113 PROFILES do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

The following table lists the IPSec-Auto-VPN/Remote-VPN tunnel configuration commands:

Command ip local-endpoint-

ip modeconfig peer pfs remote-type security-

association transform-set use no Description Enables this setting to utilize IP/Port NAT on the VPN tunnel. This command is applicable only to the site-to-site VPN tunnel. Uses the configured IP as local tunnel endpoint address, instead of the interface IP. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the mode config method (pull or push) associated with the remote VPN client. This command is applicable only to the remote VPN client. Configures the IKEv1 or IKEv2 peer for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the Perfect Forward Secrecy (PFS) for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the remote VPN client type as either None or XAuth. This command is applicable only to the remote VPN client. Defines this automatic VPN tunnels IPSec SA settings. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Applies a transform set (encryption and hash algorithms) to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Applies an existing and configured IP access list to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Removes or reverts site-to-site VPN tunnel or remote VPN client settings Reference page 7-115 page 7-116 page 7-117 page 7-118 page 7-119 page 7-120 page 7-121 page 7-123 page 7-124 page 7-125 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 114 PROFILES 7.1.17.5.2 ip crypto-map auto-vpn-tunnel/remote-vpn-client instance Enables this setting to utilize IP/Port NAT on this auto site-to-site VPN tunnel. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip nat crypto Parameters ip nat crypto ip nat crypto Enables this setting to utilize IP/Port NAT on the site-to-site VPN tunnel. This setting is disabled by default. Example rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 115 PROFILES 7.1.17.5.3 local-endpoint-ip crypto-map auto-vpn-tunnel/remote-vpn-client instance Uses the configured IP as local tunnel endpoint address, instead of the interface IP Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-endpoint-ip <IP>

Parameters local-endpoint-ip <IP>

local-endpoint-ip

<IP>

Configures the local VPN tunnels (site-to-site VPN tunnel or remote VPN client) endpoint IP address

<IP> Specify the IP address. The specified IP address must be available on the interface. Example Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#local-endpoint-

ip 192.168.13.10 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp local-endpoint-ip 192.168.13.10 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#local-endpoint-

ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic local-endpoint-ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 116 PROFILES 7.1.17.5.4 modeconfig crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the mode config method (pull or push) associated with the remote VPN client Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax modeconfig [pull|push]

Parameters modeconfig [pull|push]

modeconfig

[pull|push]

Configures the mode config method associated with a remote VPN client. The options are: pull and push. The mode (pull or push) defines the method used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push. Example Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#modeconfig pull rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic modeconfig pull rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 117 PROFILES 7.1.17.5.5 peer crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the IKEv1 or IKEv2 peer for the auto site-to-site VPN tunnel or remote VPN client. The peer device can be specified either by its hostname or by its IP address. A maximum of three peers can be configured. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>

Parameters peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>

peer <1-3>

ikev1 <IKEv1-PEER-

NAME>

ikev2<IKEv2-PEER-

NAME>

Creates a new peer and configures the peers priority level. Peer 1 is the primary peer, and peer 3 is redundant. Configures an IKEv1 peer

<IKEv1-PEER-NAME> Specify the IKEv1 peers name. Configures an IKEv2 peer

<IKEv2-PEER-NAME> Specify the IKEv2 peers name. Example Site-to-site tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#peer 1 ikev2 ikev2Peer1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer 1 ikev1 Re moteIKEv1Peer1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 118 PROFILES 7.1.17.5.6 pfs crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures Perfect Forward Secrecy (PFS) for the auto site-to-site VPN tunnel or remote VPN client PFS is the key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include 2, 5 and 14. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax pfs [14|2|5]

Parameters pfs [14|2|5]

pfs [14|2|5]

Configures PFS 14 Configures D-H Group14 (2048-bit modp) 2 Configures D-H Group2 (1024-bit modp) 5 Configures D-H Group5 (1536-bit modp) Example Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#pfs 5 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs 14 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 119 PROFILES 7.1.17.5.7 remote-type crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the remote VPN client type as either None or XAuth Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remote-type [none|xauth]

Parameters remote-type [none|xauth]

remote-type

[none|xauth]

Specify the remote VPNs client type none Configures remote VPN client with No XAUTH xauth Configures remote VPN client as using XAUTH (applicable only for IKEv1). This is the default setting. XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device respond with a failed or passed message. Example Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 120 PROFILES 7.1.17.5.8 security-association crypto-map auto-vpn-tunnel/remote-vpn-client instance Defines the IPSec SAs (created by this auto site-to-site VPN tunnel or remote VPN client) settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax security-association [inactivity-timeout|level|lifetime]

security-association [inactivity-timeout <120-86400>|level perhost]

security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Parameters security-association [inactivity-timeout <120-86400>|level perhost]

inactivity-timeout

<120-86400>

Specifies an inactivity period, in seconds, for this IPSec VPN SA. Once the set value is exceeded, the association is timed out.

<120-86400> Specify a value from 120 - 86400 seconds. The default is 900 seconds. level perhost Specifies the granularity level for this IPSec VPN SA perhost Sets the IPSec VPN SAs granularity to the host level lifetime

[kilobytes

<500-2147483646>|

seconds

<120-86400>]

security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association. kilobytes <500-2147483646> Defines volume based key duration. Specify a value from 500 - 2147483646 kilobytes. Select this option to define a connection volume lifetime (in kilobytes) for the duration of the IPSec VPN SA. Once the set volume is exceeded, the association is timed out. This option is disabled by default. seconds <120-86400> Defines time based key duration. Specify the time frame from 120 - 86400 seconds. Select this option to define a lifetime (in seconds) for the duration of the IPSec VPN SA. Once the set value is exceeded, the association is timed out. This option is disabled by default. Example Site-to-site tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-

association inactivity-timeout 200 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-

association level perhost rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-

association lifetime kilobytes 250000 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 121 PROFILES rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-

association lifetime seconds 10000 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 122 PROFILES 7.1.17.5.9 transform-set crypto-map auto-vpn-tunnel/remote-vpn-client instance Applies a transform set (encryption and hash algorithms) to site-to-site VPN tunnel or remote VPN client. This command allows you to provide customized data protection for each crypto map can be customized with its own data protection and peer authentication schemes. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}

Parameters transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}

transform-set

<TRANSFORM-SET-

TAG>

<TRANSFORM-SET-

TAG>

Applies a transform set. The transform set should be existing and configured.

<TRANSFORM-SET-TAG> Specify the transform sets name.

<TRANSFORM-SET-TAG> Optional. Specify a second transform set. You can pro-

vide multiple, space-separated, transform set tags. Example Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#transform-set AutoVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#transform-set RemoteVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 123 PROFILES 7.1.17.5.10 use crypto-map auto-vpn-tunnel/remote-vpn-client instance Applies an existing and configured IP access list to the auto site-to-site VPN tunnel or remote VPN client. Based on the IP access lists settings traffic is permitted or denied across the VPN tunnel. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ip-access-list <IP-ACCESS-LIST-NAME>

Parameters use ip-access-list <IP-ACCESS-LIST-NAME>

ip-access-list

<IP-ACCESS-LIST-

NAME>

Specify the IP access list name. Example Site-to-site VPN tunnel:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#use ip-access-

list test rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp use ip-access-list test security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Remote VPN client:

rrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#use ip-access-

list test1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context

' crypto map test 2 ipsec-isakmp dynamic use ip-access-list test1 peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 124 PROFILES 7.1.17.5.11 no crypto-map auto-vpn-tunnel/remote-vpn-client instance Removes or reverts the auto site-to-site VPN tunnel or remote VPN client settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [ip|local-endpoint-ip|modeconfig|peer|pfs|remote-type|security-association|

transform-set|use]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this auto site-to-site/remote VPN settings based on the parameters passed Example The following example shows the IPSec site-to-site VPN tunnel test settings before the no commands are executed:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp use ip-access-list test security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no use ip-

access-list rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no security-

association level perhost rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no pfs rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no local-

endpoint-ip The following example shows the IPSec site-to-site VPN tunnel test settings after the no commands are executed:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 125 PROFILES The following example shows the IPSec remote VPN client test settings before the no commands are executed:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic use ip-access-list test2 peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no use ip-

access-list rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no peer 1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no transform-set The following example shows the IPSec remote VPN client test settings after the no commands are executed:

rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 126 PROFILES 7.1.17.5.12 crypto-map-ipsec-manual-instance crypto-map-config-commands To navigate to the automatic IPSec manual VPN tunnel configuration instance, use the following command:

In the device-config mode:

<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-

manual In the profile-config mode:

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>

ipsec-manual rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 3 ipsec-manual rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#?

Manual Crypto Map Configuration commands:

local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) mode Set the tunnel mode no Negate a command or set its defaults peer Set peer security-association Set security association parameters session-key Set security session key parameters use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#

The following table summarizes IPSec manual VPN tunnel configuration mode commands:

Command local-endpoint-

ip mode peer security-

association session-key use no Description Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) Sets the tunnel mode Sets the peer devices IP address Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by a crypto map Defines encryption and authentication keys for a crypto map Uses the configured IP access list Removes or reverts crypto map IPSec manual settings Reference page 7-128 page 7-129 page 7-130 page 7-131 page 7-132 page 7-134 page 7-135 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 127 PROFILES 7.1.17.5.13 local-endpoint-ip crypto-map-ipsec-manual-instance Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-endpoint-ip <IP>

Parameters local-endpoint-ip <IP>

local-endpoint-ip

<IP>

Uses the configured IP as local tunnels endpoint address

<IP> Specify the IP address. The specified IP address must be available on the interface. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#local-endpoint-

ip 172.16.10.3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 128 PROFILES 7.1.17.5.14 mode crypto-map-ipsec-manual-instance Sets the crypto map tunnel mode Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mode [transport|tunnel]

Parameters mode [transport|tunnel]

mode [transport|tunnel] Sets the mode of the tunnel for this crypto map transport Initiates transport mode tunnel Initiates tunnel mode (default setting) Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#mode transport rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual mode transport rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 129 PROFILES 7.1.17.5.15 peer crypto-map-ipsec-manual-instance Sets the peer devices IP address. This can be set for multiple remote peers. The remote peer can be an IP address. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <IP>

Parameters peer <IP>

peer <IP>

Enter the peer devices IP address. If not configured, it implies respond to any peer. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#peer 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual peer 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 130 PROFILES 7.1.17.5.16 security-association crypto-map-ipsec-manual-instance Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by this crypto map Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

Parameters security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]

lifetime

[kilobytes

<500-2147483646>|

seconds

<120-86400>]

Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association. kilobytes <500-2147483646> Defines volume based key duration. Specify a value from 500 - 2147483646 bytes. seconds <120-86400> Defines time based key duration. Specify the time frame from 120 - 86400 seconds. NOTE: This command is not applicable to the ipsec-manual crypto map. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#security-

association lifetime seconds 123 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#show context Command not applicable to this crypto map rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 131 PROFILES 7.1.17.5.17 session-key crypto-map-ipsec-manual-instance Defines encryption and authentication keys for this crypto map Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax session-key [inbound|outbound] [ah|esp] <256-4294967295>

session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]]

<WORD>

session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192|

aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>

Parameters session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]]

<WORD>

session-key

[inbound|outbound]

ah <256-

4294967295>

[0|2|authenticator

[md5|sha] <WORD>]

Defines the manual inbound and outbound security association key parameters Configures authentication header (AH) as the security protocol for the security session

<256-4294967295> Sets the SPI for the security association from 256 - 4294967295 The SPI (in combination with the destination IP address and security protocol) identifies the security association. Specifies the key type 0 Sets a clear text key 2 Sets an encrypted key authenticator Sets AH authenticator details md5 <WORD> AH with MD5 authentication sha <WORD> AH with SHA authentication

<WORD> Sets security association key value. The following key lengths (in hex characters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA: 40 session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-

192|aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>

session-key

[inbound|outbound]

esp <256-

4294967295>

Defines the manual inbound and outbound security association key parameters Configures Encapsulating Security Payloads (ESP) as the security protocol for the security session. This is the default setting.

<256-4294967295> Sets the SPI for the security association from 256 - 4294967295 The SPI (in combination with the destination IP address and security protocol) identifies the security association. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 132 PROFILES

[0|2|cipher

[3des|aes|aes-192|

aes-256|des|

esp-null]]

0 Sets a clear text key 2 Sets an encrypted key cipher Sets encryption/decryption key details 3des ESP with 3DES encryption aes ESP with AES encryption aes-192 ESP with AES-192 encryption aes-256 ESP with AES-256 encryption des ESP with DES encryption esp-null ESP with no encryption authenticator Specify ESP authenticator details md5 <WORD> ESP with MD5 authentication sha <WORD> ESP with SHA authentication

<WORD> Sets security association key value. The following key lengths

(in hex characters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA:

40 Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#session-key inbound esp 273 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual peer 172.16.10.2 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 133 PROFILES 7.1.17.5.18 use crypto-map-ipsec-manual-instance Associates an existing IP access list with this crypto map. The ACL protects the VPN traffic. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ip-access-list <IP-ACCESS-LIST-NAME>

Parameters use ip-access-list <IP-ACCESS-LIST-NAME>

ip-access-list

<IP-ACCESS-LIST-

NAME>

Specify the IP access list name. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#use ip-access-

list test rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual use ip-access-list test peer 172.16.10.12 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 134 PROFILES 7.1.17.5.19 no crypto-map-ipsec-manual-instance Removes or resets this crypto maps settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [local-endpoint-ip|mode|peer|security-association|session-key|use]

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this crypto map settings based on the parameters passed Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual use ip-access-list test peer 172.16.10.12 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no use ip-access-

list rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no peer rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no mode rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 135 PROFILES 7.1.17.6 crypto-remote-vpn-client commands crypto This section documents the IKEV2 remote VPN client configuration settings. Use this command to define the server resources used to secure (authenticate) a remote VPN connection with a target peer. Use the profile-config instance to configure remote VPN client settings. To navigate to the remote-vpn-

client configuration instance, use the following commands:

<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>

<DEVICE>(config-profile-<PROFILE-NAME>)#crypto remote-vpn-client

<DEVICE>(config-profile-<PROFILE-NAME>-crypto-ikev2-remote-vpn-client)#

NOTE: To configure remote VPN client settings on a device, on the devices configuration mode, use the crypto > remote-vpn-client command. For example: rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto remote-vpn-client NOTE: The following configuration enables a access point to adopt to a controller over the remote VPN link:

On a profile: rfs4000-229D58(config-profile-testRFS4000)#controller host

<HOST-IP> remote-vpn-client On a device: rfs4000-229D58(config-00-23-68-22-9D-58)#controller host

<HOST-IP> remote-vpn-client rfs4000-229D58(config)#profile rfs4000 testRFS4000 rfs4000-229D58(config-profile-testRFS4000)#

rfs4000-229D58(config-profile-testRFS4000)#crypto remote-vpn-client rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#?

Crypto IKEV2 Remote Vpn Client Config commands:

dhcp-peer Configure parameters for peers received via DHCP option no Negate a command or set its defaults peer Add a remote peer shutdown Disable remote vpn client transform-set Specify IPSec transform to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 136 PROFILES The following table summarizes crypto remote VPN client configuration mode commands:

Command dhcp-peer peer shutdown transform-set no Description Configures DHCP peers local ID and authentication settings Adds a remote IKEv2 peer Disables the remote VPN client Associates an existing IPSec transform set with this remote VPN client Removes the remote VPN client settings Reference page 7-138 page 7-139 page 7-140 page 7-141 page 7-142 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 137 PROFILES 7.1.17.6.1 dhcp-peer crypto-remote-vpn-client commands Configures DHCP peers local ID and authentication settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-peer [authentication|localid]

dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]

Parameters dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]

dhcp-peer authentication psk

[0 <WORD>|

2 <WORD>|

<WORD>]

dhcp-peer authentication rsa Configures the DHCP peers authentication type as PSK 0 <WORD> Configures a clear text authentication key 2 <WORD> Configures an encrypted authentication key

<WORD> Provide a 8 - 21 character shared key password for DHCP peer authentication Configures the DHCP peers authentication type as RSA. This is the default setting. dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]

dhcp-peer localid

[autogen-uniqueid

<WORD>|

string <WORD>]

Configures the DHCP peer's localid using one of the following options:

autogen-uniqueid - Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The devices unique identity should be existing and configured. For more information on configuring a devices unique identity, see autogen-uniqueid.

<WORD> Provide the string. string - Uses the value provided here as the DHCP peers localid.

<WORD> - Provide the string. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#dhcp-

peer authentication psk 0 @123testing rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client dhcp-peer authentication psk 0 @123testing rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 138 PROFILES 7.1.17.6.2 peer crypto-remote-vpn-client commands Configures IKEv2 peers and assigns them priorities for utilization with remote VPN client connections. A maximum of three (3) peers can be added to support redundancy. IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPSec SA is established during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of the side sending the request to retransmit if it does not receive a timely response. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-3> ikev2 <IKEV2-PEER-NAME>

Parameters peer <1-3> ikev2 <IKEV2-PEER-NAME>

peer <1-3>

Adds a IKEv2 peer. You can add maximum of three (3) peers to achieve redundancy.

<1-3> Specify a priority level for the peer from 1 - 3 (1 = primary, 2 = secondary, and 3 = redundant). ikev2

<IKEV2-PEER-

NAME>

Specify the IKEv2 peers name. Note: The peer should be existing and configured. To configure an IKEv2 peer use the crypto > ikev2 > peer > <IKEv2-PEER-NAME> command. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 1 ikev2 ikev2Peer1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 2 ikev2 ikev2Peer2 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 ikev2Peer1 peer 2 ikev2 ikev2Peer2 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 139 PROFILES 7.1.17.6.3 shutdown crypto-remote-vpn-client commands Disables remote-vpn-client on this profile or device. Remote VPN client feature is enabled by default. To enable a disabled remote VPN client execute the no > shutdown command. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

shutdown rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 140 PROFILES 7.1.17.6.4 transform-set crypto-remote-vpn-client commands Specifies the IPSec Transform set to use with this remote VPN client. A transform set is a combination of security protocols, algorithms, and other settings applied to IPSec protected client traffic. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}

Parameters transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}

transform-set

<IPSEC-XFORM-

TAG>

<IPSEC-XFORM-

TAG>

Associates an IPSec Transform (should be existing and configured) set with this remote VPN client. You can optionally associate more than one transform set with this remote VPN client configuration. List the transform set tags separated by a space. Note: To configure a transform-set, use the crypto > ipsec > transform-set command in the profile or device configuration mode. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-

client)#transform-set TransformSet1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 ikev2Peer1 transform-set TransformSet1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 141 PROFILES 7.1.17.6.5 no crypto-remote-vpn-client commands Removes the remote VPN client settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dhcp-peer|peer <1-3>|shutdown|transform-set]

no dhcp-peer [authentication|localid]

no peer <1-3>

no shutdown no transform-set Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets this remote VPN client settings based on the parameters passed Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 peer5 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#no peer 1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 142 PROFILES 7.1.18 database Profile Config Commands Backs up captive-portal and/or NSight database to a specified location and file. When applied to devices, this profile will enable the back up of the specified database. This command also enables you to configures a low-disk-space threshold value. These parameters can also be configured in the device configuration context of an NX95XX series service platform. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [backup|low-disk-space-threshold]

database backup database [captive-portal|nsight] <URL>

database low-disk-space-threshold <10-50>

Parameters database backup database [captive-portal|nsight] <URL>

database backup database

[captive-portal|

nsight]

<URL>

Backs up captive portal and/or NSight database to a specified location and file. Select the database to backup. database Selects the database to backup captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location and file name. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:

ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path database low-disk-space-threshold <10-50>

database low-disk-

space-threshold <10-

50>

Configures the low disk space threshold for syslog warning. Once the threshold value configured here is reached a syslog warning is sent.

<10-50> Specify the threshold from 10 - 50. The default is 30. Example nx9500-6C8809(config-profile-testNX9500)#database backup database nsight ftp://

anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands no Removes database backup configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 143 PROFILES 7.1.19 device-onboard Profile Config Commands Configures the logo image file name and title displayed on the EGuest device-onboarding portal. The EGuest UI can be accessed only by vendor-admin users. NOTE: Vendor admin users are configured in the Management policy context. For more information, see user. Supported in the following platforms:

Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax device-onboard [logo|title] <WORD>

Parameters device-onboard [logo|title] <WORD>

device-onboard

[logo|title] <WORD>

Configures the logo and page title displayed on the device-onboarding portal logo Specify the logo image file name. Note, logo image dimensions must not exceed 109 pixel and 52 pixel in width and height respectively. title Specify the UI portal title. Note, the title should not exceed 32 characters in length. The following keyword is common to both of the above parameters:

<WORD> Specify the logo image file name/page title. Example Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard logo extremenetworks.png Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard title EXTREME NETWORKS ONBOARDING UI Split-EG-Server(config-device-00-0C-29-09-3C-CC)#show context include-factory |

include device-onboard device-onboard title EXTREME NETWORKS ONBOARDING UI device-onboard logo extremenetworks.png Split-EG-Server(config-device-00-0C-29-09-3C-CC)#

Following example shows a Management Policy, vendor-admin user configuration:

EC-NOC(config-management-policy-EGuest)#show context include-factory | include user user onboard-user password 1 1d5e9d60425bde727261b66b5e7eb0236058e7aae45225961ce7b872ea238240 role vendor-

admin group Samsung,Philips,Nest1,Orbit1 EC-NOC(config-management-policy-EGuest)#

Related Commands no Removes the device-onboarding UI portals logo image file name and title configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 144 PROFILES 7.1.20 device-upgrade Profile Config Commands Configures device firmware upgrade settings on this profile Administrators can customize profiles with unique device configuration file and firmware upgrade support. In a clustered environment, operations performed on one device are propagated to each member of the cluster and then onwards to devices managed by each cluster member. The number of concurrent device upgrades and their start times can be customized to ensure a sufficient number of devices remain in duty while upgrades are administered to others. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [add-auto|auto|count|persist-images]

device-upgrade add-auto [(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]

device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600)}

device-upgrade count <1-128>

device-upgrade persist-images Parameters device-upgrade add-auto[(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|

ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|

rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]

device-upgrade add-

auto

[<DEVICE-TYPE>]

Configures a list of devices types for automatic firmware upgrade This command specifies the types of devices that can be automatically upgraded (if enabled). To enable automatic device firmware upgrade, use the auto command. When enabled, access points, wireless controllers, and service platforms, using this profile, will automatically upgrade firmware on adopted devices that match the specified device types. Specifies the type of devices to be upgraded. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000. Note: Multiple device types can be added to the add-auto list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 145 PROFILES device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|

ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|

rfs6000|nx5500|nx75xx|nx9000|nx9600)}

device-upgrade auto

<DEVICE-TYPE>

Enables automatic firmware upgrade on specified device types. When used along with the add-auto command, the auto command allows access points, wireless controllers, and service platforms to automatically upgrade firmware on adopted devices matching the specified device types. Optional. Specifies the type of device to be lined up for automatic firmware upgrade. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000. Note: Multiple device types can be added to the auto list. device-upgrade count <1-128>

device-upgrade count

<1-128>

Configures the maximum number of concurrent upgrades possible

<1-128> specify a value from 1 - 128. The default is 10. device-upgrade persist-images device-upgrade persist-images Configures parameters for automatic firmware upgrade of adopted devices. Use this command to select the device types and the maximum number of concurrent upgrades. Enables RF Domain manager to retain AP firmware image after upgrade, subject to availability of space. This option is enabled by default. This option is enabled for all controllers and service platforms RF Domain managers with the flash memory capacity to store firmware images for the selected access point models they provision. This feature is disabled for access point RF Domain managers that do not typically have the flash memory capacity needed. Example rfs4000-229D58(config-profile-default-rfs4000)#device-upgrade auto ap71xx rfs4000-229D58config-profile-default-rfs4000)#show context profile rfs4000 default-rfs4000 autoinstall configuration autoinstall firmware device-upgrade auto ap71xx device-upgrade persist-ap-image crypto ikev1 policy ikev1-default qos trust 802.1p

--More--

rfs4000-229D58(config-profile-default-rfs4000)#

Related Commands no device-upgrade (show commands) Removes device firmware upgrade settings on this profile Displays device upgrade details Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 146 PROFILES 7.1.21 diag Profile Config Commands Enables looped packet logging. When enabled, devices, using this profile, start logging looped packets to a separate queue. This option is disabled by default. Looped packet logging can also be enabled in the device configuration context. NOTE: To view logged looped packets, execute the service > show > diag > pkts command. For more information, see service. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax diag pkts Parameters diag pkts diag pkts Enables looped packet logging Example nx9500-6C8809(config-profile-default-nx75xx)#diag pkts nx9500-6C8809(config-profile-default-nx75xx)#show context include-factory |

include diag diag pkts nx9500-6C8809(config-profile-default-nx75xx)#

Related Commands no Disables looped packet logging Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 147 PROFILES 7.1.22 dot1x Profile Config Commands Configures 802.1x standard authentication controls Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login. Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic. Dot1x authentication capabilities is supported on the following platforms:

Supported in the following platforms:

Access Points AP6511, AP6521, AP6522, AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432 Wireless Controllers RFS4000, RFS6000, NX5500, NX7500 Dot1x supplicant capabilities is supported on the following platforms:

Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, NX5500, NX7500 Syntax dot1x [guest-vlan|holdtime|system-auth-control|use]

dot1x holdtime <0-600>

dot1x system-auth-control dot1x guest-vlan supplicant dot1x use aaa-policy <AAA-POLICY-NAME>

Parameters dot1x system-auth-control system-auth-control Enables system auth control. Enables dot1x authorization globally for the controller. This feature is disabled by default. dot1X holdtime <0-600>

holdtime <0-600>

Configures a holdtime value. This is the interval after which an authentication attempt is ignored or failed.

<0-600> Specify a value from 0 - 600 seconds. A value of 0 indicates no holdtime. The default is 600 seconds or 10 minutes. Adding a hold time at startup allows time for the network to converge before receiving or transmitting 802.1x authentication packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 148 PROFILES dot1x guest-vlan supplicant guest-vlan supplicant Configures guest VLAN and supplicant behavior This feature is disabled by default. Allows 802.1x capable supplicant to enter guest VLAN. When enabled, this is the VLAN that supplicants traffic is bridged on. dot1x use aaa-policy <AAA-POLICY-NAME>

use aaa-policy <AAA-

POLICY-NAME>

Associates a specified 802.1x AAA policy (for MAC authentication) with this access point profile

<AAA-POLICY-NAME> Specify the AAA policy name. Once specified, this AAA policy is utilized for authenticating user requests. Example nx9500-6C8809(config-profile-test-nx5500)#dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#dot1x system-auth-control nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface pppoe1 use firewall-policy default service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 149 PROFILES 7.1.23 dpi Profile Config Commands Enables Deep Packet Inspection (DPI) on this profile. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. This command is also available in the device configuration mode. Supported in the following platforms:

Access Points AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax dpi {custom-app|logging|metadata}

dpi {custom-app <CUSTOM-APP-NAME>}

dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]|on]}

dpi {metadata [http|ssl|tcp-rtt|voice-video]}

dpi {metadata [http|ssl|voice-video]}

dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}

Parameters dpi {custom-app <CUSTOM-APP-NAME>}

dpi custom-app

<CUSTOM-APP-

NAME>

Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Adds custom application to this profile

<CUSTOM-APP-NAME> Specify custom application name (should be existing and configured) If no custom application is specified, the system detects the PACE built-in applications. Note: For more information on application categories and application detection, see application. dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|

informational|notifications|warnings]|on]}

dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 150 PROFILES logging [level [<0-7>|

alerts|critical|

debugging|

emergencies|

errors|informational|

notifications|

warnings]|on]

Optional. Enables DPI logging and sets the logging level level Configures the DPI logging level. Use one of the following options to specify the logging level:

<0-7> Logging severity level alerts Immediate action needed (1) critical Critical conditions (2) debugging Debugging messages (7) emergencies System is unusable (0) errors Conditions (3) nformational Informational messages (6) notifications Normal but significant conditions (5) - Default setting warnings Warning conditions (4) Either specify the logging level index (from 0 - 7) or the description. For example, to log all alerts either enter 1 or alerts. on Enables application detection event logging. DPI logging is disabled by de-

fault. dpi {metadata [http|ssl|voice-video]}

dpi metadata

[http|ssl|voice-video]

Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Enables metadata extraction from following flows:

http HTTP flows. This option is disabled by default. ssl SSL flows. This option is disabled by default. voice-video Voice and video classified flows. This option is disabled by default. dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}

dpi metadata tcp-rtt

{app-group

<APPLICATION-

GROUP-NAME>}

Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Enables Transmission Control Protocol - Round Trip Time (TCP-RTT) metadata collection for application groups. Before executing this command, ensure that you have created at least one application group. Enable this option in the profile/device contexts of the AP7522, AP7532, AP7562, AP8432, AP8533 access point models, as only these APs support TCP-RTT metadata collection. app-group Optional. Specifies the customized application-group name containing the applications for which TCP-RTT is to be collected

<APPLICATION-GROUP-NAME> Specify the app-group name (should be existing and configured). If not specified, the system collects TCP-RTT metadata for all the customized app-groups created. You can enable TCP-RTT metadata collection on eight (8) application groups at a time. For more information on creating customized application-groups, see application-

group. The TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server and database is up and NSight analytics data collection is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 151 PROFILES Example nx9500-6C8809(config-profile-testNX9500)#dpi logging on nx9500-6C8809(config-profile-testNX9500)#dpi logging level 7 nx9500-6C8809(config-profile-testNX9500)#show context profile nx9000 testNX9500 bridge vlan 10 ip igmp snooping ip igmp snooping querier ipv6 mld snooping

......................................................... router bgp dpi logging on dpi logging level debugging nx9500-6C8809(config-profile-testNX9500)#

nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#dpi metadata tcp-rtt app-group amazon Related Commands no Disables DPI (application assurance) on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 152 PROFILES 7.1.24 dscp-mapping Profile Config Commands Configures IP Differentiated Services Code Point (DSCP) to 802.1p priority mapping for untagged frames Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dscp-mapping <WORD> priority <0-7>

Parameters dscp-mapping <word> priority <0-7>

<WORD>

priority <0-7>

Specifies the DSCP value of a received IP packet. This could be a single value or a list. For example, 10-20, 25, 30-35. Specifies the 802.1p priority to use for a packet if untagged. The priority is set on a scale of 0 - 7. The priority values are:

0 Best effort 1 Background 2 Spare 3 Excellent effort 4 Controlled load 5 Video 6 Voice 7 Network control Note: The specified 802.1p priority value is added as a 3-bit IP precedence value in the Type of Service (ToS) field of the IP header used to set the priority. Up to 64 entries are permitted. Example rfs7000-37FABE(config-profile-default-rfs7000)#dscp-mapping 20 priority 7 rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac interface me1 interface ge1 ip dhcp trust qos trust dscp rfs7000-37FABE(config-profile-default-rfs7000)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 153 PROFILES 7.1.25 eguest-server (VX9000 only) Profile Config Commands Enables the ExtremeGuest (EGuest) server The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server. NOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest servers self context. For more information, see license. Supported in the following platforms:

Service Platforms VX9000 NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal. Syntax eguest-server Parameters eguest-server eguest-server Example Execute this command, without the host option, on the EGuest server. When executed, the EGuest daemon is enabled on the host. EGuest server can be hosted only a VX9000 platform. On the EGuest server, execute the command without the host option to enable the EGuest daemon. EG-Server(config-device-02-EE-1A-7E-AE-5B)#eguest-server EG-Server(config-device-02-EE-1A-7E-AE-5B)#show context include-factory | include eguest-server eguest-server EG-Server(config-device-02-EE-1A-7E-AE-5B)#

Related Commands no Disables the EGuest server by stopping the EGuest daemon Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 154 PROFILES 7.1.26 eguest-server (NOC Only) Profile Config Commands Points to the EGuest server when executed along with the host option. The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server. NOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest servers self context. For more information, see license. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal. Syntax eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}

Parameters eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}

eguest-server <1-3>

host <IPv4/IPv6/

HOSTNAME>

{http|https}

Configures the EGuest server details in the profile/device context of the NOC

(access point/controller). When configured, the NOC posts registration requests and captive-portal related data directly to the specified EGuest server.

<1-3> Configures the EGuest server index number. A maximum of three EGuest servers can be configured. host <IPv4/IPv6/HOSTNAME> Configures the EGuest servers IPv4/IPv6 ad-

dress or hostname.

{http|https} Optional. Configures the mode of connection as HTTP or HTTPS. Note: HTTPS is recommended as it uses encryption for transmission and is therefore more secure. Example On the NOC, execute along with the host option to point to the EGuest server. EG-NOC(config-device-74-67-F7-5C-64-4A)#eguest-server 1 host EG-Server https EG-NOC(config-device-74-67-F7-5C-64-4A)#show context include-factory | include eguest-server no eguest-server eguest-server 1 host EG-Server https EG-NOC(config-device-74-67-F7-5C-64-4A)#

Related Commands no Removes the EGuest server IP address/hostname configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 155 PROFILES 7.1.27 email-notification Profile Config Commands Configures e-mail notification settings. When a system event occurs e-mail notifications are sent (provided message logging is enabled) based on the settings configured here. Use this option to configure the outgoing SMTP server settings. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax email-notification [host|recipient]

email-notification recipient <RECIPIENT-NAME>

email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL>

[port|security|username]

email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-

65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|

<WORD>])]

Parameters email-notification recipient <RECIPIENT-EMAIL>

recipient

<RECIPIENT-EMAIL>

Defines the recipients e-mail address. A maximum of 6 (six) e-mail addresses can the configured.

<RECIPIENT-EMAIL> Specify the recipients e-mail address (should not exceed 64 characters in length). email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port

<1-65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2

<WORD>|<WORD>])]

host

<SMTP-SERVER-IP/

HOSTNAME>

sender

<SENDER-EMAIL>

port <1-65535>

Configures the host SMTP servers IP address or hostname

<SMTP-SERVER-IP/HOSTNAME> Specify the SMTP servers IP address or hostname. Defines the senders e-mail address. This is the from address on notification e-mails.

<SENDER-EMAIL> Specify the senders e-mail address (should not exceed 64 characters in length). Use the email-notification > recipient > <EMAIL-ADDRESS>

command to configure the recipient's address. This option is recursive and applicable to the security and username parameters. Configures the SMTP server port. Use this option to configure a non-standard SMTP port on the outgoing SMTP server. The standard SMTP port is 25.

<1-65535> Specify the port from 1 - 65535. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 156 PROFILES security

[none|ssl|starttls]

username

<SMTP-USERNAME>

password

[2 <WORD>|

<WORD>]

This option is recursive and applicable to the port and username parameters. Configures the SMTP encryption type used none No encryption used ssl Uses Secure Sockets Layer (SSL) encryption between the SMTP server and the client starttls Uses STARTTLS encryption between the SMTP server and the client This option is recursive and applicable to the port and security parameters. Configures the SMTP senders username. Many SMTP servers require users to authenticate with a username and password before sending e-mail through the server.

<SMTP-USERNAME> Specify the SMTP username (should not exceed 64 characters in length). password Configures the SMTP server password. Specify the password associ-

ated with the username of the sender on the outgoing SMTP server. 2 <WORD> Configures an encrypted password

<WORD> Specify the password (should not exceed 127 characters in length). Example rfs6000-37FABE(config-profile-default-rfs6000)#email-notification recipient test@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware

............................................................. interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p use firewall-policy default email-notification recipient test@examplecompany.com service pm sys-restart rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 157 PROFILES 7.1.28 enforce-version Profile Config Commands Enables checking of a devices firmware version before attempting adoption or clustering Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforce-version [adoption|cluster] [full|major|minor|none|strict]

Parameters enforce-version [adoption|cluster] [full|major|minor|none|strict]

adoption cluster full major minor none strict Example Verifies firmware versions before adopting. This option is enabled by default. Verifies firmware versions before clustering. This option is enabled by default. Allows adoption or clustering when the first four octets of the firmware versions match

(for example 5.8.6.0) Allows adoption or clustering when the first two octets of the firmware versions match

(for example 5.8) Allows adoption or clustering when the first three octets of the firmware versions match

(for example 5.8.6) Allows adoption or clustering between any firmware versions Allows adoption or clustering only when firmware versions exactly match (for example 5.8.6.0-008B). This is the default setting for both adoption and cluster options. nx9500-6C8809(config-profile-test-nx5500)#enforce-version cluster full nx9500-6C8809(config-profile-test-nx5500)#enforce-version adoption major nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha

.................................................... interface pppoe1 use firewall-policy default enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 158 PROFILES 7.1.29 environmental-sensor Profile Config Commands Configures the environmental sensor settings An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio coverage area. Supported in the following platforms:

Access Points AP8132 Syntax environmental-sensor [humidity|light|motion|polling-interval|temperature]

environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]

environmental-sensor light {holdtime|radio-shutdown|threshold}

environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|radio-

2]}

environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}

Parameters environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]

environmental-

sensor humidity motion polling-interval

<1-100>

temperature Configures environmental sensor settings on this profile Enables (turns on) humidity sensors. This setting is enabled by default. Enables (turns on) motion sensors.This setting is enabled by default. Configures polling interval, in seconds, on all sensors. This is the interval after which the sensor module polls its environment to assess the various parameters, such as light intensity.

<1-100> Specify a value from 1 - 100 seconds. The default is 5 seconds. Enables (turns on) temperature sensors. This setting is enabled by default. environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|

radio-2]}

environmental-

sensor light holdtime

<10-201>

Configures environmental sensor settings on this profile Enables (turns on) light sensors and specifies its settings When enabled, the sensor module polls the environment to determine the light intensity. Based on the reading, the system determines whether the AP8132s deployment location has lights on or off. Light intensity also helps determine whether the access points deployment location is currently populated with clients. Optional. Configures a holdtime, in seconds, for the light sensor

<10-201> Specify a value from 10 - 201 seconds. The default value is 11 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 159 PROFILES radio-shutdown

[all|radio1|radio2]

Optional. Shuts down the sensors radios all Shuts down all radios. This is the default setting. radio1 Shuts down radio 1 radio2 Shuts down radio 2 AP8132s using this profile have their radios shut down, when the radios power falls below the specified threshold. Use the environmental-sensor > light > threshold >

[high|low] command to set the threshold values. environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}

environmental-

sensor light threshold high

<100-10000>

low <0-1000>

Configures environmental sensor settings on this profile Enables (turns on) light sensors and specifies its settings Optional. Configures the upper and lower thresholds for the amount of light in the environment Specifies the upper threshold from 100 - 10000 lux. This value determines whether lighting is on in the AP8132s deployment location. The radios are turned off if the average reading value is lower than the value set here. The default is 400 lux. The light sensor triggers an event if the amount of light exceeds the specified value. Specifies the lower threshold from 0 - 1000 lux. This value determines whether lighting is off in the AP8132s deployment location. The radios are turned on when the average value is higher than the value set here. The default is 200 lux. The light sensor triggers an event if the amount of light drops below the specified value. Example rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor humidity rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor polling-interval 60 rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light radio-

shutdown all rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold high 300 rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold low 100 rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier environmental-sensor polling-interval 60 environmental-sensor light threshold high 300 environmental-sensor light threshold low 100 environmental-sensor light radio-shutdown all no autoinstall configuration no autoinstall firmware device-upgrade persist-images

--More--

rfs4000-229D58(config-profile-testRFS4000)#

Related Commands no Removes the environmental sensors settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 160 PROFILES 7.1.30 events Profile Config Commands Displays system event messages Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax events [forward on|on]

Parameters events [forward on|on]

Forwards system event messages to the wireless controller, service platform, or cluster members. This feature is enabled by default. on Enables forwarding of system events Generates system events. This feature is enabled by default. forward on on Example rfs6000-37FABE(config-profile-default-rfs6000)#events forward on rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 161 PROFILES 7.1.31 export Profile Config Commands Enables export of startup.log file after every boot Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax export startup-log [max-retries|retry-interval|url]

export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]

Parameters export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]

export startup-log max-retries

<2-65535>

retry-interval

<30-86400>

url <URL>

Enables export of the startup.log file after every boot. This option is disabled by default. Configures the maximum number of retries in case the export process fails

<2-65535> Specify a value from 2 - 65535. Configures the interval between two consecutive retries

<30-86400> Specify a value from 30 - 86400 seconds. Configures the destination URL in the following format:

tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file Example nx9500-6C8809(config-profile-test-nx5500)#export startup-log max-retries 10 retry-interval 30 url ftp://anonymous:anonymous@192.168.13.10/log/startup.log nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default

....................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://

anonymous:anonymous@192.168.13.10/log/startup.log enforce-version adoption major enforce-version cluster full service pm sys-restart

--More--g nx9500-6C8809(config-profile-test-nx5500)#

Related Commands no Disables export of startup.log file Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 162 PROFILES 7.1.32 file-sync Profile Config Commands Configures parameters enabling auto syncing of trustpoint/wireless-bridge certificate between the staging-

controller and its adopted access points This command is applicable to the access points profile as well as device configuration modes. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax file-sync [auto|count <1-20>]

Parameters file-sync [auto|count <1-20>]

file-sync

[auto|count <1-20>]

Configures the following file-synching parameters:

auto Enables the staging controller to autoinstall trustpoint/wireless-bridge certificate on an access point when it comes up for the first time and adopts to the controller. Prior to enabling file syncing, ensure that the wireless-bridge certificate is present on the staging controller. To upload the certificate on the controller, in the user or privilege executable modes, execute the following command: file-sync > load-file >

<URL>. count <1-20> Configures the maximum number of access points that can be concurrently auto-installed.

<1-20> Specify a value from 1 - 20. The default is 10 access points. For the NX95XX service platforms the count-range is from 1 - 128. Example nx9500-6C8809(config-profile-default-rfs6000)#file-sync auto nx9500-6C8809(config-profile-default-rfs6000)#file-sync count 8 nx9500-6C8809(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware no device-upgrade auto file-sync count 8 file-sync auto crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac

--More--

nx9500-6C8809(config-profile-default-rfs6000)#

Related Commands no Disables automatic file syncing between the staging-controller and its access points Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 163 PROFILES 7.1.33 floor Profile Config Commands Sets the floor name where the target device (access point, wireless controller, or service platform using this profile) is physically located. Assigning a building floor name helps in grouping devices within the same general coverage area. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax floor <WORD> {<1-4094>}

Parameters floor <WORD> {<1-4094>}

floor <WORD>

{<1-4094>}

Sets the floor name where the target device is located

<WORD> Specify the floor name (should not exceed 64 characters in length).

<1-4094> Optional. Configures the floor number from 1 - 4094. The default is 1. Example rfs6000-37FABE(config-profile-default-rfs6000)#floor fifth rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 bridge vlan 1 ip igmp snooping ip igmp snooping querier area Ecospace floor fifth autoinstall configuration autoinstall firmware

--More--

rfs6000-37FABE(config-profile-default-rfs6000)#

Related Commands no Resets the configured floor name and number Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 164 PROFILES 7.1.34 gre Profile Config Commands The following table summarizes commands that allow you to enter the GRE configuration mode:

Command gre gre-config-

instance Description Enables GRE tunneling on a profile/device This command also creates a GRE tunnel and enters its configuration mode. Use this command to modify an existing GRE tunnels settings. Summarizes GRE tunnel configuration mode commands Reference page 7-166 page 7-168 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 165 PROFILES 7.1.34.1 gre gre Enables Generic Routing Encapsulation (GRE) tunneling on this profile, and creates a new GRE tunnel or modifies an existing GRE tunnel. The GRE protocol allows encapsulation of one protocol over another. It is a tunneling protocol that transports any layer 3 protocol over an IP network. When enabled, a payload packet is first encapsulated in the GRE protocol. The GRE encapsulated payload is then encapsulated in another IP packet before being forwarded to the destination. GRE tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN gateway over an IPv4 GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over GRE. Using GRE, access points map one or more VLANs to a tunnel. The remote end point is a user-configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a remote RADIUS server available within your deployment using standard RADIUS protocols. Access Points can reach both the GRE peer as well as the RADIUS server using IPv4. The WiNG software now supports for both IPv4 or IPv6 tunnel endpoints. However, a tunnel needs to contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The header source IP address is the local address of the IPv6 address of tunnel interface, and the destination address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and GRE header before sending it over to the IP stack. NOTE: Only one GRE tunnel can be created for every profile. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax gre tunnel <GRE-TUNNEL-NAME>

Parameters gre tunnel <GRE-TUNNEL-NAME>

gre tunnel

<GRE-TUNNEL-NAME>

Creates a new GRE tunnel or modifies an existing GRE tunnel

<GRE-TUNNEL-NAME> If creating a new tunnel, specify a unique name for it. If modifying an existing tunnel, specify its name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 166 PROFILES Example rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#?

GRE Tunnel Mode commands:

dscp Differentiated Services Code Point establishment-criteria Set tunnel establishment criteria failover L2gre tunnel failover mtu L2GRE tunnel endpoint maximum transmission unit(MTU) native Native trunking characteristics no Negate a command or set its defaults peer L2GRE peer tunneled-vlan VLANs to tunnel clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#

rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 1 ip 192.168.13.8 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel peer 1 ip 192.168.13.8 peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#

rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier

................................................................................ . use firewall-policy default service pm sys-restart router ospf gre tunnel testGREtunnel peer 1 ip 192.168.13.8 peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile-testRFS4000)#

Related Commands no Disables GRE tunneling on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 167 PROFILES 7.1.34.2 gre-config-instance gre The following table summarizes GRE tunnel configuration mode commands:

Command dscp establishment-

criteria failover mtu native no peer tunneled-vlan Description Sets the GRE tunnels Differentiated Services Code Point (DSCP) / 802.1q priority value Configures the GRE tunnel establishment criteria Reference page 7-169 page 7-169 Enables periodic pinging of the primary gateway to assess its availability, in case it is unreachable Configures the maximum transmission unit (MTU) for IPv4/IPv6 L2GRE tunnel endpoints Configures native trunking settings for this GRE tunnel Removes the GRE tunnel settings based on the parameters passed Configures the GRE tunnels end-point peers Defines the VLAN that connected clients use to route GRE-tunneled traffic within their respective WLANs page 7-171 page 7-172 page 7-173 page 7-174 page 7-175 page 7-176 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 168 PROFILES 7.1.34.2.1 dscp gre-config-instance Sets the GRE tunnels DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4 header. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dscp [<0-63>|reflect]

Parameters dscp [<0-63>|reflect]

dscp <0-63>

dscp reflect Specifies the DSCP 802.1q priority value for outer packets from 0 - 63. The default is 1. Copies the DSCP 802.1q value from inner packets Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#dscp 20 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 169 PROFILES 7.1.34.2.2 establishment-criteria gre-config-instance Configures the GRE tunnel establishment criteria In a multi-controller RF domain, it is always the master node that establishes the tunnel. The tunnel is created only if the tunnel device is designated as one of the following: vrrp-master, cluster-master, or rf-

domain-manager. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-

255>]

Parameters establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-

255>]

establishment-criteria

[always|

cluster-master|

rf-domain-manager|

vrrp-master <1-255>]

Configures the GRE tunnel establishment criteria. The options are:

always Always automatically establishes tunnel (default setting). The tunnel device need not be a cluster master, RF Domain manager, or VRRP master to establish the GRE tunnel. This is the default setting. cluster-master Establishes tunnel only if the tunnel device is designated as the cluster master rf-domain-manager Establishes tunnel only if the tunnel device is designated as the RF Domain manager vrrp-master <1-255> Establishes tunnel only if the tunnel device is designated as the Virtual Router Redundancy (VRRP) master

<1-255> Configures the VRRP group ID from 1 - 255. A VRRP group enables the creation of a group of routers as a default gateway for redundancy. Clients can point to the IP address of the VRRP virtual router as their default gateway and utilize a dif-

ferent group member if a master becomes unavailable. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#establishment-

criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 170 PROFILES 7.1.34.2.3 failover gre-config-instance Enables periodic pinging of the primary gateway to assess its availability. When enabled, the system continues pinging, an unreachable gateway, for a specified number of times and at the specified interval. This option is disabled by default. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax failover interval <1-250> retry <1-10>

Parameters failover interval <1-250> retry <1-10>

failover interval

<1-250>

retry <1-10>

Specifies the interval, in seconds, between two successive pings to the primary gateway. If the primary gateway is unreachable, the system pings it at intervals specified here.

<1-250> Specify a value from 1 - 250 seconds. retry Specifies the maximum number attempts made to ping the primary gate-

way before the session is terminated.

<1-10> Specify a value from 1 - 10. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 171 PROFILES 7.1.34.2.4 mtu gre-config-instance Configures the MTU for IPv4/IPv6 L2GRE tunnel endpoints The MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages larger than the configured MTU are divided into smaller packets before transmission. Larger the MTU greater is the efficiency because each packet carries more user data, while protocol overheads, such as headers or underlying per-packet delays remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mtu [ipv4 <900-1476>|ipv6 <1236-1456>]

Parameters mtu [ipv4 <900-1476>|ipv6 <1236-1456>]

mtu

[ipv4 <900-1476>|

ipv6 <1236-1456>]

Configures the MTU for L2GRE tunnel endpoints ipv4 <900-1476> Configures IPv4 L2GRE tunnel endpoint MTU from 900 - 1476. The default is 1476. ipv6 <1236-1456> Configures IPv6 L2GRE tunnel endpoint MTU from 1236 - 1456. The default is 1456. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv4 1200 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv6 1300 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel mtu ipv4 1200 mtu ipv6 1300 establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 172 PROFILES 7.1.34.2.5 native gre-config-instance Configures native trunking settings for this GRE tunnel Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax native [tagged|vlan <1-4094>]

Parameters native [tagged|vlan <1-4094>]

native tagged native vlan <1-4094>

Enables native VLAN tagging The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Specifies a numerical VLAN ID (1 - 4094) for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN, when no 802.1q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native tagged nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native vlan 20 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel native vlan 20 native tagged mtu ipv4 1200 mtu ipv6 1300 establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#

Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 173 PROFILES 7.1.34.2.6 no gre-config-instance Removes or resets the GRE tunnel settings based on the parameters passed Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dscp|establishment-criteria|failover|mtu|native|peer|tunneled-vlan]

no [dscp|establishment-criteria|failover|tunneled-vlan]

no mtu [ipv4|ipv6]

no native [tagged|vlan]

no peer <1-2>

Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or resets the GRE tunnels settings based on the parameters passed Example The following example shows the GRE tunnel testGRETunnel settings before the no commands are executed:

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native vlan 1 tunneled-vlan 1,10 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no dscp rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no native vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no tunneled-vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no failover The following example shows the GRE tunnel testGRETunnel settings after the no commands are executed:

rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native tagged rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 174 PROFILES 7.1.34.2.7 peer gre-config-instance Adds the GRE tunnels end-point peers. A maximum of two peers, representing the tunnels end points, can be added for each GRE tunnel. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-2> ip <IPv4/IPv6>

Parameters peer <1-2> ip <IPv4/IPv6>

peer <1-2> ip

<IPv4/IPv6>

Configures the tunnels end-point peers

<1-2> Specify a numeric index for each peer to help differentiate the tunnel end points. ip Specify the IP address (IPv4/IPv6) of the added GRE peer to serve as a network address identifier.

<IPv4/IPv6> Specify the peers IPv4 or IPv6 address. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#peer 1 ip 192.168.13.6 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 175 PROFILES 7.1.34.2.8 tunneled-vlan gre-config-instance Defines the VLAN that connected clients use to route GRE tunneled traffic within their respective WLANs Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunneled-vlan <VLAN-ID>

Parameters tunneled-vlan <VLAN-ID>

tunneled-vlan

<VLAN-ID>

Specifies the VLANs associated with this GRE tunnel

<VLAN-ID> Specify the VLAN IDs. Specify a comma-separated list of IDs, to specify multiple VLANs. For example, 1,10,12,16-20. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

tunneled-vlan 10 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native vlan 1 tunneled-vlan 1,10 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#

Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 176 PROFILES 7.1.35 http-analyze Profile Config Commands Enables forwarding of HTTP request related data to the HTTP analytics engine Wireless clients (MUs) connect to APs and route their HTTP requests through the APs. These APs extract and forward HTTP request packets, through MiNT, to the NX series controller. The NX series controller uses a new analytic daemon to cache, format, and forward information to the analytics engine. Currently the analytics daemon is supported only on the NX series service platform. Therefore, it is essential that all APs should use an NX series service platform as controller. In a hierarchically organized network, HTTP analytics data forwarding is a simple and transparent process. The site controllers receive the HTTP data from adopted APs adopted. This data is compressed and forwarded to the Network Operations Center (NOC) controller. There is no need for a separate configuration to enable this feature. Use this command to configure the mode and interval at which data is sent to the controller and the external analytics engine. This command also configures the external engines details, such as URL, credentials, etc. NOTE: The Analytics module helps gather data about customer behavior such as web sites visited, search terms used, mobile device types, number of new users vs. repeat users. This data provides a better understanding of pricing strategies and promotions being run by competitors. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze [compress|external-server|update-interval <1-3600>]

http-analyze [compress|update-interval <1-3600>

http-analyze external-server [password <WORD>|proxy <URL>|update-interval <1-

3600>|url <URL>|username <WORD>|validate-server-certificate]

Parameters http-analyze compress update-interval

<1-3600>

http-analyze [compress|update-interval <1-3600>]

Configures HTTP analysis related parameters Compresses update files before forwarding to the controller. This option is disabled by default. Configures the interval, in seconds, at which buffered packets are pushed to the controller

<1-3600> Specify the interval from 1 - 3600 seconds. The default is 60 seconds. http-analyze external-server [password <WORD>|proxy <URL>|update-interval|

url|username|validate-server-certificate]

http-analyze external-

server Configures the external HTTP analytics engines parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 177 PROFILES password <WORD>

Configures the external analytics engines password

<WORD> Provide the login password. This is the password associated with the proxy <URL>

user name needed to access the external analytics engine. Configures the proxy servers uniform resource locator (URL)

<URL> Specify the proxy servers URL in the following format: http://

username:password@proxy-server:port. For example, http://

mot:sym@wwwgate0.mot.com:1080 update-interval

<1-36000>

url <URl>

username <WORD>

validate-server-

certificate Configures the interval, in seconds, at which buffered packets are pushed to the external analytics engine

<1-3600> Specify the interval from 1 - 3600 seconds. The default is 60 seconds. Configures the external analytics engines IP address or URL

<URL> Provide the IP address or URL. Configures the user name needed to access the external analytics engine

<WORD> Provide the user name. Validates the external analytics engines certificate, if it is using HTTPS as the mode of access Example rfs6000-37FABE(config-profile-default-rfs6000)#http-analyze compress rfs6000-37FABE(config-profile-default-rfs6000)#http-analyze update-interval 200 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 bridge vlan 1

..................................................................... qos trust 802.1p interface pppoe1 use firewall-policy default http-analyze update-interval 200 http-analyze compress service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#

nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server username anonymous nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server password anonymous nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server validate-

server-certificate nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server update-

interval 100 nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server url https://192.168.13.10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 178 PROFILES nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware

...................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://

anonymous:anonymous@192.168.13.10/log/startup.log http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 enforce-version adoption major enforce-version cluster full

--More--

nx9500-6C8809(config-profile-test-nx5500)#

nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080 nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default

............................................................... http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080 enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#

Related Commands no Disables HTTP analyze settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 179 PROFILES 7.1.36 interface Profile Config Commands The following table summarizes interface configuration commands:

Command interface interface-config-ge-

instance interface-config-

vlan-instance interface-config-

port-channel-

instance interface-config-

radio-instance interface-config-

wwan-instance interface-config-

bluetooth-instance Description Selects an interface to configure Summarizes Ethernet interface (associated with the wireless controller or service platform) configuration commands Summarizes VLAN interface configuration commands Reference page 7-181 page 7-184 page 7-217 Summarizes port-channel interface configuration commands page 7-235 Summarizes radio interface configuration commands (applicable to devices with built-in radios) Summarizes WWAN interface configuration commands Summarizes the Bluetooth radio interface configuration commands

(supported only on the AP8432 and AP8533 model access points page 7-252 page 7-327 page 7-337 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 180 PROFILES 7.1.36.1 interface interface Selects an interface to configure A profiles interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000 controllers and NX7500 and NX95XX series service platforms. Ports vary depending on the platform, but controller or service platform models do have some of the same physical interfaces. A controller or service platform requires its virtual interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each VLAN ID the controller or service platform is connected to. If the profile is configured to support an access point radio, an additional radio interface is available, unique to the access points radio configuration. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax Service Platforms interface [<INTERFACE-NAME>|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|

radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]

Syntax Access Points and Wireless Controllers interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-

4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge <1-4>]

Parameters interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel

<1-4>|radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-

4>]

<INTERFACE-NAME>

bluetooth <1-1>

Enters the configuration mode of the interface identified by the <INTERFACE-

NAME> keyword Selects the Bluetooth radio interface

<1-1> Specify the Bluetooth radio interface index from 1 - 1. As of now only one Bluetooth radio interface is supported. fe <1-4>

ge <1-24>

This interface is applicable only for the AP8432 and AP8533 model access points. Selects a FastEthernet interface

<1-4> Specify the interface index from 1 - 4. Selects a GigabitEthernet interface

<1-24> Specify the interface index from 1 - 24. (4 for RFS7000 and 8 for RFS6000). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 181 PROFILES me1 port-channel <1-4>

pppoe1 radio [1|2|3]

up1 vlan <1-4094>

wwan1 xge <1-4>

Usage Guidelines Selects a management interface Not applicable for RFS4000 model devices. The management interface is applicable only for RFS6000 and RFS7000 model controllers. Selects the port channel interface

<1-4> Specify the interface index from 1 - 4. Selects the PPP over Ethernet interface to configure Selects a radio interface 1 Selects radio interface 1 2 Selects radio interface 2 3 Selects radio interface 3 The radio interface is not available on wireless controllers or service platforms. Selects the uplink GigabitEthernet interface Selects a VLAN interface

<1-4094> Specify the SVI VLAN ID from 1 - 4094. Selects a Wireless WAN interface This interface is applicable only to AP7161, AP81XX, AP8232, RFS4000, RFS6000 model access points and controllers. Selects a TenGigabitEthernet interface

<1-2> Specify the interface index from 1 - 4. The ports available on a device vary depending on the model. For example, the following ports are available on RFS4000, RFS6000 and RFS7000 model wireless controllers:

RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 GE ports on are RJ-45 supporting 10/100/1000Mbps.. ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. The ports available on service platforms also vary depending on the model. For example, the following ports are available on NX series service platforms:

NX7500 - ge1-ge10, xge1-xge2 NX95XX series - ge1, ge2, xge1-xge4 EX3500 ge1-1 to ge1-24 EX3548 ge1-1 to ge1-48 GE ports are available on devices, such as RFS4000 and RFS6000controllers. GE ports are RJ-45 supporting 10/100/1000Mbps. ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 182 UP ports are available on RFS4000 and RFS6000 platforms. A UP port is used to connect to the backbone network. UP ports are available on devices, such as RFS4000 and RFS6000 controllers. A UP port supports either RJ-45 or fiber. The UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection unlike the GE ports. PROFILES The following ports are available on access points:

AP6511 - fe1, fe2, fe3, fe4, up1 AP6521 - GE1/POE (LAN) AP6522 - GE1/POE (LAN) AP6532 - GE1/POE AP6562 - GE1/POE AP7161 - GE1/POE (LAN), GE2 (WAN) AP7502 - GE1 (THRU), fe1, fe2, fe3, AP7522 - GE1/POE (LAN) AP7532 - GE1/POE (LAN) AP81XX - GE1/POE (LAN), GE2 (WAN) AP82XX - GE1/POE (LAN), GE2 (WAN) Example NOTE: For a NX7500 model service platform, there are options for either a 2 port or 4 port network management card. Either card can be managed using WiNG. If the 4 port card is used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available. rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#

rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#?

SVI configuration commands:

crypto Encryption module description Vlan description dhcp Dynamic Host Configuration Protocol (DHCP) dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP packets on this interface ip Interface Internet Protocol config commands ipv6 Internet Protocol version 6 (IPv6) no Negate a command or set its defaults shutdown Shutdown the selected interface use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#

Related Commands no Removes the selected interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 183 PROFILES 7.1.36.2 interface-config-ge-instance interface This section documents the GigabitEthernet configuration commands. GE port placement and quantity varies depending on the controller, service platform, or access point model. Configure the GE interface either in the devices profile-config context or directly on a device. The following example uses the config-profile-default-rfs7000 instance to configure a GigabitEthernet interface:

nx9500-6C8809(config-profile-testNX9000-if-ge2)#?

Interface configuration commands:

captive-portal-enforcement Enable captive-portal enforcement on this port cdp Cisco Discovery Protocol channel-group Channel group commands description Interface specific description dot1x 802.1X duplex Set duplex to interface ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) lacp LACP commands lacp-channel-group LACP channel commands lldp Link Local Discovery Protocol mac-auth Enable mac-auth for this port no Negate a command or set its defaults power PoE Command qos Quality of service remove-override Remove configuration item override from the device (so profile value takes effect) shutdown Shutdown the selected interface spanning-tree Spanning tree commands speed Configure speed switchport Set switching mode characteristics use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-profile-testNX9000-if-ge2)#

The following table summarizes the interface configuration commands:

Command captive-portal-

enforcement cdp channel-group description dot1x

(authenticator) Description Enables captive-portal enforcement on this Ethernet port Enables Cisco Discovery Protocol (CDP) on this Ethernet port Assigns this Ethernet port to a channel group Configures a description for this Ethernet port Configures 802.1X authenticator settings Reference page 7-186 page 7-187 page 7-188 page 7-189 page 7-190 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 184 Command dot1x

(supplicant) duplex ip ipv6 lacp lacp-channel-

group lldp mac-auth no power qos shutdown spanning-tree speed switchport use Description Configures 802.1X supplicant settings Specifies the duplex mode for the interface Sets the IP address for this Ethernet port Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interface Configures the selected GE ports Link Aggregation Control Protocol

(LACP) port-priority value Configures the selected GE port as a member of a port-channel group

(also referred as LAG) Configures Link Local Discovery Protocol (LLDP) Enables MAC-based authentication on this Ethernet port Removes or reverts the selected Ethernet port settings Configures Power over Ethernet (PoE) settings on this interface Enables QoS Disables the selected Ethernet port Configures spanning tree parameters Specifies the speed on this Ethernet port Sets interface switching mode characteristics Associates IPv4, IPv6, and/or MAC ACL with the selected Ethernet port PROFILES Reference page 7-193 page 7-195 page 7-196 page 7-197 page 7-199 page 7-200 page 7-202 page 7-203 page 7-204 page 7-205 page 7-206 page 7-207 page 7-208 page 7-211 page 7-212 page 7-215 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 185 PROFILES 7.1.36.2.1 captive-portal-enforcement interface-config-ge-instance Enables application of captive portal access permission rules to data transmitted over this specific Ethernet port. This setting is disabled by default. Captive portal enforcement allows users on the wired network to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can pass traffic on the captive portal. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}

Parameters captive-portal-enforcement {fall-back}

captive-portal-

enforcement fall-back Enables captive-portal enforcement on this Ethernet port fall-back Optional. Enforces captive portal validation only if port authentication fails. When selected, captive portal policies are enforced only when RADIUS authentication of the client MAC address is not successful. If this option is not selected, captive portal policies are enforced regardless of the client's MAC address being in the RADIUS server's user database or not. Example rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#captive-portal-

enforcement rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#show context interface ge2 captive-portal-enforcement rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#

Related Commands no Disables captive-portal enforcement on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 186 PROFILES 7.1.36.2.2 cdp interface-config-ge-instance Enables CDP on the selected GE port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cdp [receive|transmit]

Parameters cdp [receive|transmit]

receive transmit Enables CDP packet snooping on this interface. When enabled, the port receives periodic interface updates from a multicast address. This option is enabled by default. Enables CDP packet transmission on this interface. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#cdp transmit Related Commands no Disables CDP packet snooping on the controller or service platforms selected GE ports Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 187 PROFILES 7.1.36.2.3 channel-group interface-config-ge-instance Assigns this Ethernet port to a channel group. Ethernet ports can be aggregated to form a channel group. For example, an RFS7000 has four (4) Ethernet ports (1, 2, 3, & 4). These can be aggregated to form a minimum of one and maximum of two channel groups. A port can be a member of only one channel group at a time. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-group <1-4>

Parameters channel-group <1-4>

<1-4>

Example Specifies a channel group number from 1 - 4. The number of channel groups supported varies with the device type. For example:

RFS7000 Supports two channel groups RFS6000 Supports four channel groups RFS4000 Supports three channel groups NX5500 Supports three channel groups NX75XX Supports four channel groups NX95XX Supports two channel groups rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Removes the channel group to which this port belongs Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 188 PROFILES 7.1.36.2.4 description interface-config-ge-instance Configures a description for this Ethernet port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description [<LINE>|<WORD>]

Parameters description [<LINE>|<WORD>]

<LINE>

<WORD>

Configures the maximum length (number of characters) of the interface description Configures a unique description for this interface. The description should not exceed the length specified by the <LINE> parameter. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#description This is GigabitEthernet interface for Royal King rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Removes the interface description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 189 PROFILES 7.1.36.2.5 dot1x (authenticator) interface-config-ge-instance Configures 802.1X authenticator settings Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login. Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic. Supported in the following platforms:

Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX, AP8232, AP8432 Wireless Controllers RFS4000, RFS6000, NX5500, NX7500 Syntax dot1x authenticator [guest-vlan|host-mode|max-reauth-req|port-control|

reauthenticate|timeout]

dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|

max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|

reauthenticate|timeout [quiet-period|reauth-period] <1-65535>]

NOTE: The dot1x (802.1x) supplicant settings are documented in the next section. Parameters dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|

max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|

reauthenticate|timeout [quiet-period|reauth-period]]

dot1x authenticator guest-vlan <1-4094>

host-mode

[multi-host|

single-host]

max-reauth-req

<1-10>

Configures 802.1x authenticator settings Configures the guest VLAN for this interface. This is the VLAN, traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Select the VLAN index from 1 - 4094. Configures the host mode for this interface multi-host Configures multiple host mode single-host Configures single host mode. This is the default setting. Configures maximum number of re-authorization retries for the supplicant. This is the maximum number of re-authentication attempts made before this port is moved to unauthorized.

<1-10> Specify a value from 1 -10. The default is 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 190 PROFILES port-control

[auto|

force-authorized|

force-unauthorized]

reauthenticate timeout [quiet-period|

reauth-period]

<1-65535>

Configures port control state auto Configures auto port state force-authorized Configures authorized port state. This is the default setting. force-unauthorized Configures unauthorized port state Enables re-authentication for this port. When enabled, clients are forced to re-

authenticate on this port. The setting is disabled by default. Therefore, clients are not required to re-authenticate for connection over this port until this setting is enabled. Configures timeout settings for this interface quiet-period Configures the quiet period timeout in seconds. This is the interval, in seconds, between successive client authentication attempts. reauth-period Configures the time after which re-authentication is initiated The following option is common to quiet-period and reauth-period keywords:

<1-65535> Specify a quiet-period or reauth-period from 1 - 65535 seconds. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator guest-vlan 2 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator host-mode multi-host rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator max-reauth-

req 6 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator reauthenticate rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 dot1x authenticator host-mode multi-host dot1x authenticator guest-vlan 2 dot1x authenticator reauthenticate dot1x authenticator max-reauth-count 6 ip dhcp trust qos trust dscp qos trust 802.1p rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

The following examples show the configurations made on an RFS6000 to enable it as a dot1X authenticator:

1 Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):

rfs6000-817379(config-aaa-policy-aaa-wireddot1x)#show context aaa-policy aaa-wireddot1x authentication server 1 onboard controller rfs6000-817379(config-aaa-policy-aaa-wireddot1x)#

This AAA policy is used in the authenticators self configuration mode as shown in the last step. 2 Configure RADIUS user policy on the authenticator:

rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#show con radius-user-pool-policy wired-dot1x-users user bob password 0 bob1234 rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#

The user name and password configured here should match that of the supplicant. For more information, see the examples provided in the dot1x (supplicant) section. 3 Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created in the previous step:

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 191 PROFILES rfs6000-817379(config-radius-server-policy-for-wired-dot1x)#show con radius-server-policy for-wired-dot1x use radius-user-pool-policy wired-dot1x-users rfs6000-817379(config-radius-server-policy-for-wired-dot1x)#

4 In the authenticators self configuration mode, associate the RADIUS server policy, created in the previous step, and configure other parameters (in bold) as shown in the following example:

rfs6000-817379(config-device-00-15-70-81-73-79)#use radius-server-policy for-

wired-dot1x 5 In the authenticators interface > ge configuration mode, configure the following parameters:

rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator host-mode single-host rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator port-control auto 6 In the authenticators self configuration mode, configure the following parameters:

rfs6000-817379(config-device-00-15-70-81-73-79)#dot1x system-auth-control rfs6000-817379(config-device-00-15-70-81-73-79)#dot1x use aaa-policy aaa-

wireddot1x Following example displays the above configured parameters:

rfs6000-817379(config-device-00-15-70-81-73-79)#show context use profile default-rfs6000 use rf-domain default hostname rfs6000-817379 use radius-server-policy for-wired-dot1x interface me1 ip address 192.168.0.1/24 interface ge2 dot1x authenticator host-mode single-host dot1x authenticator port-control auto interface vlan1 ip address dhcp ip dhcp client request options all logging on logging console debugging dot1x system-auth-control dot1x use aaa-policy aaa-wireddot1x

--More--

rfs6000-817379(config-device-00-15-70-81-73-79)#

Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 192 PROFILES 7.1.36.2.6 dot1x (supplicant) interface-config-ge-instance Configures 802.1X supplicant (client) settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, NX5500, NX7500 Syntax dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]

Parameters dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]

dot1x supplicant username

<USERNAME>

password

[0 <WORD>|

2 <WORD>|

<WORD>]

Configures 802.1x suppliant settings Sets the username for authentication

<USERNAME> Specify the supplicants username. Sets the password associated with the supplicants username. Select any one of the following options:

0 <WORD> Sets a clear text password 2 <WORD> Sets an encrypted password

<WORD> Specify the password. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x supplicant username bob password 0 test@123 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 dot1x supplicant username bob password 0 test@123 dot1x authenticator host-mode multi-host dot1x authenticator guest-vlan 2 dot1x authenticator reauthenticate dot1x authenticator max-reauth-count 6 ip dhcp trust qos trust dscp qos trust 802.1p rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

The following example shows the configuration made on an AP7522 to enable it as a dot1X supplicant:

ap7522-85B19C(config-device-84-24-8D-85-B1-9C-if-ge2)#dot1x supplicant username bob password 0 bob1234 ap7522-85B19C(config-device-84-24-8D-85-B1-9C)#show context use profile default-ap7522 use rf-domain default hostname ap7522-85B19C no adoption-mode interface ge1 switchport mode access switchport access vlan 1 dot1x supplicant username bob password 0 bob1234 logging on logging console debugging

--More--

ap7522-85B19C(config-device-84-24-8D-85-B1-9C Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 193 Related Commands no Removes 802.1X supplicant (client) settings PROFILES Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 194 PROFILES 7.1.36.2.7 duplex interface-config-ge-instance Configures duplex mode (for the flow of packets) on this Ethernet port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax duplex [auto|half|full]

Parameters duplex [auto|half|full]

auto half full Example Enables automatic duplexity on an interface port. The port automatically detects whether it should run in full or half-duplex mode. (default setting) Sets the port to half-duplex mode. Allows communication in one direction only at any given time. When selected, data is sent over the port, then immediately data is received from the direction in which the data was transmitted. Sets the port to full-duplex mode. Allows communication in both directions simultaneously. When selected, the port can send data while receiving data as well. rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#duplex full rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Reverts to default (auto) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 195 PROFILES 7.1.36.2.8 ip interface-config-ge-instance Sets the ARP and DHCP components for this Ethernet port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp]

ip [arp [header-mismatch-validation|trust]|dhcp trust]

Parameters ip [arp [header-mismatch-validation|trust]|dhcp trust]

arp [header-

mismatch-validation|

trust]

Configures ARP packet settings header-mismatch-validation Enables matching of source MAC address in the ARP and Ethernet headers to check for mismatch. This option is disabled by default. dhcp trust trust Enables trust state for ARP responses on this interface. When enabled, ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. This option is disabled by default. Enables trust state for DHCP responses on this interface. When enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip dhcp trust rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip arp header-mismatch-

validation rfs7000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Removes the ARP and DHCP components configured for this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 196 PROFILES 7.1.36.2.9 ipv6 interface-config-ge-instance Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interface The ICMPv6 ND protocol uses ICMP messages and solicited multicast addresses to track neighboring devices on the same local network. These messages are used to discover a neighbors link layer address and to verify if a neighboring device is reachable. The ICMP messages are neighbor solicitation (NS) and neighbor advertisement (NA) messages. When a destination host receives an NS message from a neighbor, it replies back with a NA. The NA contains the following information:

Source address This is the IPv6 address of the device sending the NA Destination address This is the IPv6 address of the device from whom the NS message is received Data portion Includes the link layer address of the device sending the NA NS messages are used to verify a neighbors (whose ink layer address is known) reachability. To confirm a neighbors reachability a node sends an NS message in which the neighbors unicast address is specified as the destination address. If the neighbor sends back an acknowledgment on receipt of the NS message it is considered reachable. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|nd]

ipv6 dhcpv6 trust ipv6 nd [header-mismatch-validation|raguard|trust]

Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Enables trust state for DHCPv6 responses on this interface. When enabled, all DHCPv6 responses received on this port are trusted and forwarded. This option is enabled by default. A DHCPv6 server can be connected to a DHCPv6 trusted port. ipv6 nd [header-mismatch-validation|raguard|trust]

ipv6 nd header-mismatch-

validation raguard Configures IPv6 ND settings Enables matching of source MAC address in the ICMPv6 ND and Ethernet headers

(link layer option) to check for mismatch. This option is disabled by default. Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this interface. When selected, RAs are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 197 PROFILES trust Example Enables trust state for IPv6 ND requests received on this interface. When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet Layer configuration parameters. This option is disabled by default. rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 dhcpv6 trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd header-mismatch-

validation rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#show context interface ge1 switchport mode access switchport access vlan 1 ipv6 nd trust ipv6 nd header-mismatch-validation ipv6 dhcpv6 trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#

Related Commands no Removes or reverts IPv6 settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 198 PROFILES 7.1.36.2.10 lacp interface-config-ge-instance Configures the selected GE ports Link Aggregation Control Protocol (LACP) port-priority value. If LACP is enabled, and the selected port is a member of a link aggregation group (LAG), use this command to configure the ports priority within the LAG. As per the IEEE 802.3ad standard, LACP enables aggregation of multiple physical links to form a single logical channel. Each aggregated group of physical links is a LAG. When enabled, LACP dynamically determines if link aggregation is possible between two peers, and automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG. Enabling LACP provides automatic recovery in case one or more of the aggregated physical links fail. NOTE: Use the lacp-channel-group command to configure this port as a LAG member. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lacp port-priority <1-65535>

Parameters lacp port-priority <1-65535>

lacp port-priority

<1-65535>

Configures the selected GE ports port-priority value. The selected ports actual priority within the LAG is determined by the port-priority value specified here along with the ports number. Higher the value, lower is the priority. Use this option to manipulate a ports priority. For example, in a LAG having five physical ports, four active and one standby, manually increasing the standby ports priority ensures that if one of the active port fails, the standby port is included in the LAG during re-

negotiation.

<1-65535> Specify a value from 1 - 65535. The default value is 32768. Example nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp port-priority 2 nx9500-6C8809(config-profile-testnx9000-if-ge1)#show context interface ge1 lacp port-priority 2 nx9500-6C8809(config-profile-testnx9000-if-ge1)#

Related Commands no Removes the selected GE ports configured port-priority value Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 199 PROFILES 7.1.36.2.11 lacp-channel-group interface-config-ge-instance Configures the selected GE port as a member of a port channel group (also referred as LAG) As per the IEEE 802.3ad standard, LACP enables the aggregation of multiple physical links (ethernet ports) to form a single logical channel. When enabled, LACP dynamically determines if link aggregation is possible and then automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG. NOTE: Successful aggregation of two or more physical links is feasible only if the aggregating physical links are configured identically. To ensure uniformity in configuration across LAG members, implement configuration changes (such as changes in the switching mode, speed, etc.) on the logical port (the port-channel) and not on the physical port. Changes made on the port-channel will cascade down to each member of the LAG thereby retaining uniformity. Supported in the following platforms:

Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lacp-channel-group <1-4> mode [active|passive]

Parameters lacp-channel-group <1-4> mode [active|passive]

lacp-channel-group <1-

4>

Associates this GE port with an existing port-channel group

<1-4> Specify a value from 1 - 4. Use the interface > port-channel > <1-4> command to configure a port-channel group. For more information, see interface-config-port-channel-instance. mode [active|passive] After configuring the selected port as a LAG member, specify whether the port is an active or passive member within the group. An active member initiates and participates in LACP negotiations. active Configures the port as an active member. When set to active, the port always transmits LACPDU irrespective of the remote devices port mode. passive Configures the port as passive member. When set to passive, the port will only respond to LACPDU received from its corresponding Active port. At least one port within a LAG, on either of the two negotiating peers, should be in the active mode. LACP negotiations are not initiated if all LAG member ports are passive. Further, the peer-to-peer LACP negotiations are always initiated by the peer with the lower system-priority value. For more information on configuring the system-priority, see lacp. Example nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp-channel-group 2 mode active nx9500-6C8809(config-profile-test2nx9000-if-ge1)#show context interface ge1 lacp-channel-group 2 mode active lacp port-priority 2 nx9500-6C8809(config-profile-test2nx900-if-ge1)#

Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 200 To enable dynamic link aggregation on a device (service platform), execute the following steps:

PROFILES 1 Create a port-channel group on the device. Enter the port-channel configuration mode. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface port-channel 1 a Set the switching mode to access or trunk as per requirement. In this example, the mode is set to access. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport mode access b Specify the VLAN to switch, commit changes and exit. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport access vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#commit nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#exit 2 Enable dynamic link aggregation on the devices physical port. Enter the GE ports configuration mode. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface ge 2 a Enable link aggregation and associate the port with the port-channel group created in step 1. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp-channel-group 1 mode active Note, the mode can be set to passive. However, at least one of the aggregated GE ports in the port-channel group should be active in order to initiate link aggregation negotiations with other LACP-enabled peers. b Specify the GE ports priority value. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp port-priority 2 Related Commands no Removes the selected GE ports port-channel group membership Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 201 PROFILES 7.1.36.2.12 lldp interface-config-ge-instance Configures Link Local Discovery Protocol (LLDP) parameters on this Ethernet port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lldp [receive|transmit]

Parameters lldp [receive|transmit]

receive transmit Enables LLDP Protocol Data Units (PDUs) snooping. When enabled, the port receives periodic updates from a multicast address informing about presence of neighbors. This option is enabled by default. Enables LLDP PDU transmission. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#lldp transmit Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 202 PROFILES 7.1.36.2.13 mac-auth interface-config-ge-instance Enables authentication of MAC addresses on the selected wired port. When enabled, this feature authenticates the MAC address of a device, connecting to this interface, with a RADIUS server. When successfully authenticated, packets from the source are processed. Since only one MAC address is supported per wired port, packets from all other sources are dropped. For more information on enabling this feature, see mac-auth. Enable port MAC authentication in conjunction with Wired 802.1x settings to configure a MAC authentication AAA policy. This option is also available in the device configuration mode. Supported in the following platforms:

Access Points AP6522 AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-auth Parameters None Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#mac-auth rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 mac-auth ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

rfs4000-229D58(config-profile-testRFS4000-if-ge5)#mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context interface ge5 switchport mode access switchport access vlan 1 dot1x authenticator host-mode single-host dot1x authenticator guest-vlan 5 dot1x authenticator port-control auto mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#

Related Commands no Disables authentication of MAC addresses on the selected wired port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 203 PROFILES 7.1.36.2.14 no interface-config-ge-instance Removes or reverts the selected Ethernet port settings Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [captive-portal-enforcement|cdp|channel-group|description|dot1x|duplex|ip|

ipv6|lacp|lacp-channel-group|lldp|mac-auth|power|qos|shutdown|spanning-tree|

speed|switchport|use]

no [captive-portal-enforcement|channel-group|description|duplex|mac-auth|

shutdown|speed]

no [cdp|lldp] [receive|transmit]

no dot1x [authenticator [guest-vlan|host-mode|max-reauth-req|port-control|

reauthentication|timeout [quiet-period|reauth-period]]|supplicant]

no ip [arp [header-mismatch-validation|trust]|dhcp trust]

no ipv6 [dhcpv6 trust|nd [header-mismatch-validation|raguard|trust]]

no [lacp port-priority|lacp-channel-group]

no power {best-effort|limit|priority}

no qos trust [802.1p|cos|dscp]

no spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|

portfast]

no switchport [access vlan|mode|trunk native tagged]

no use [ip-access-list|ipv6-access-list|mac-access-list] in Parameters no <PARAMETERS>

no <PARAMETERS>

Removes or reverts this Ethernet port settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no cdp rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no duplex Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 204 PROFILES 7.1.36.2.15 power interface-config-ge-instance Configures Power over Ethernet (PoE) settings on this interface When configured, this option allows the selected port to use Power over Ethernet. When enabled, the controller supports 802.3af PoE on each of its GE ports. PoE allows users to monitor port power consumption and configure power usage limits and priorities for each GE port. Supported in the following platforms:

Wireless Controllers RFS4000, RFS6000 Syntax power {best-effort|limit <0-40>|priority [critical|high|low]}

Parameters power {best-effort|limit <0-40>|priority [critical|high|low]}

power best-effort limit <0-40>

priority

[critical|high|low]

Configures power related thresholds for this interface Optional. Enables power when the device is not operating from an 802.3at class 4 power source Optional. Configures the PoE power limit from 0 - 40 Watts. The default is 30 Watts. Optional. Configures the PoE power priority on this interface. This is the priority assigned to this port versus the power requirements of the other ports available on the controller. critical Sets PoE priority as critical high Sets PoE priority as high low Sets PoE priority as low. This is the default setting. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power limit 30 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power priority critical rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p power limit 30 power priority critical rfs4000-229D58(config-profile-testRFS4000-if-ge1)#

Related Commands no Removes PoE settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 205 PROFILES 7.1.36.2.16 qos interface-config-ge-instance Defines Quality of Service (QoS) settings on this Ethernet port Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos trust [802.1p|cos|dscp]

Parameters qos trust [802.1p|cos|dscp]

trust [802.1p|cos|dscp]

Trusts QoS values ingressing on this interface 802.1p Trusts 802.1p COS values ingressing on this interface cos Trusts 802.1p COS values ingressing on this interface. This option is enabled by default. dscp Trusts IP DSCP QOS values ingressing on this interface. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust dscp rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust 802.1p rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Removes QoS settings on the selected interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 206 PROFILES 7.1.36.2.17 shutdown interface-config-ge-instance Shuts down (disables) an interface. The interface is administratively enabled unless explicitly disabled using this command. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#shutdown Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 207 PROFILES 7.1.36.2.18 spanning-tree interface-config-ge-instance Configures spanning tree parameters Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-

interoperability|portfast]

spanning-tree [force-version <0-3>|guard root|portfast]

spanning-tree [bpdufilter|bpduguard] [default|disable|enable]

spanning-tree link-type [point-to-point|shared]

spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]

spanning-tree port-cisco-interoperability [disable|enable]

Parameters spanning-tree [force-version <0-3>|guard root|portfast]

force-version <0-3>

guard root portfast Specifies the spanning tree force version. A version identifier of less than 2 enforces the spanning tree protocol. Select one of the following versions:

0 Spanning Tree Protocol (STP) 1 Not supported 2 Rapid Spanning tree Protocol (RSTP) 3 Multiple Spanning Tree Protocol (MSTP). This is the default setting Enables Root Guard for the port The Root Guard disables superior Bridge Protocol Data Unit (BPDU) reception. The Root Guard ensures the enabled port is a designated port. If the Root Guard enabled port receives a superior BPDU, it moves to a discarding state (root-inconsistent STP state). This state is equivalent to a listening state, and data is not forwarded across the port. Therefore, enabling the guard root enforces the root bridge position. Use the no parameter with this command to disable the Root Guard. Enables rapid transitions. Enabling PortFast allows the port to bypass the listening and learning states. spanning-tree [bpdufilter|bpduguard] [default|disable|enable]

bpdufilter

[default|disable|

enable]

Sets a PortFast BPDU filter for the port Use the no parameter with this command to revert the port BPDU filter to its default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures PortFast enabled ports do not transmit or receive BPDUs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 208 PROFILES bpduguard

[default|disable|

enable]

Enables BPDU guard on a port Use the no parameter with this command to set BPDU guard to its default. When the BPDU guard is set for a bridge, all PortFast-enabled ports that have the BPDU guard set to default shut down upon receiving a BPDU. If this occurs, the BPDU is not processed. The port can be brought back either manually (using the no shutdown command), or by configuring the errdisable-timeout to enable the port after a specified interval. link-type

[point-to-point|shared]

spanning-tree link-type [point-to-point|shared]

Enables point-to-point or shared link types point-to-point Enables rapid transition. This option indicates the port should be treated as connected to a point-to-point link. A port connected to a controller is a point-to-point link. shared Disables rapid transition. This option indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]

mst <0-15>

cost <1-200000000>

port-priority <0-240>

Configures MST on a spanning tree Defines path cost for a port from 1 - 200000000. The default path cost depends on the speed of the port. The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Defines port priority for a bridge from 1 - 240. Lower the priority greater is the likelihood of the port becoming a designated port. Applying a higher value impacts the port's likelihood of becoming a designated port. spanning-tree port-cisco-interoperability [disable|enable]

port-cisco-

interoperability enable disable Enables interoperability with Cisco's version of MSTP (which is incompatible with standard MSTP) Enables CISCO Interoperability Disables CISCO Interoperability. The default is disabled. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpdufilter disable rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpduguard enable rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree force-version 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree guard root rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree mst 2 port-

priority 10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 209 PROFILES rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

duplex full spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10

--More--

rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Removes spanning tree settings configured on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 210 PROFILES 7.1.36.2.19 speed interface-config-ge-instance Specifies the speed of a FastEthernet (10/100) or GigabitEthernet (10/100/1000) port. This is the speed at which the port can receive and transmit the data. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax speed [10|100|1000|auto]

Parameters speed [10|100|1000|auto]

10 100 1000 auto Usage Guidelines Forces 10 Mbps operation Forces 100 Mbps operation Forces 1000 Mbps operation Port automatically detects its operational speed based on the port at the other end of the link. Select this option to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Set the interface speed to auto detect and use the fastest speed available. Speed detection is based on connected network hardware. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#speed 10 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

speed 10 duplex full spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10 dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Resets speed to default (auto) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 211 PROFILES 7.1.36.2.20 switchport interface-config-ge-instance Sets switching mode characteristics for the selected interface Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax switchport [access|mode|trunk]

switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]

switchport mode [access|trunk]

switchport trunk [allowed|native]

switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]

switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]

Parameters switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]

access vlan

[<1-4094>|

<VLAN-ALIAS-

NAME>]

Sets the VLAN when interface is in the access mode. You can either directly specify the native VLAN ID or use a VLAN alias to identify the native VLAN.

<1-4094> Specify the SVI VLAN ID from 1 - 4094.

<VLAN-ALIAS-NAME> Specify the VLAN alias name (should be existing and configured). An Ethernet port in the access mode accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. switchport mode [access|trunk]

mode [access|trunk]

Sets the interfaces switching mode to access or trunk (can only be used on physical

- layer 2 - interfaces) access If access mode is selected, the access VLAN is automatically set to VLAN1. In this mode, only untagged packets in the access VLAN (vlan1) are accepted on this port. All tagged packets are discarded. trunk If trunk mode is selected, tagged VLAN packets are accepted. The native VLAN is automatically set to VLAN1. Untagged packets are placed in the native VLAN by the wireless controller or service platform. Outgoing packets in the native VLAN are sent untagged. The default mode for both ports is trunk. switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]

Sets trunking mode, allowed VLANs characteristics of the port. Use this option to add VLANs that exclusively send packets over the listed port. trunk allowed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 212 PROFILES vlan

[<VLAN-ID>|

add <VLAN-ID>|

none|

remove <VLAN-ID>

Sets allowed VLAN options. The options are:

<VLAN-ID> Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.) none Allows no VLANs to transmit or receive through the layer 2 interface add <VLAN-ID> Adds VLANs to the current list

<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) remove <VLAN-ID> Removes VLANs from the current list

<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) Allowed VLANs are configured only when the switching mode is set to trunk. switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]

trunk native

[tagged|

vlan [<1-4094>|

<VLAN-ALIAS-

NAME>]]

Sets trunking mode characteristics of the switchport Configures the native VLAN ID for the trunk-mode port The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. tagged Tags the native VLAN. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header enabling upstream Ethernet devices to know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Sets the native VLAN for classifying untagged traffic when the interface is in trunking mode.

<1-4094> Specify a value from 1 - 4094.

<VLAN-ALIAS-NAME> Specify the VLAN alias name used to identify the VLANs. The VLAN alias should be existing and configured. Usage Guidelines Interfaces ge1 - ge4 can be configured as trunk or in access mode. An interface configured as trunk allows packets (from the given list of VLANs) to be added to the trunk. An interface configured as access allows packets only from native VLANs. Use the [no] switchport (access|mode|trunk) to undo switchport configurations. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 213 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport trunk native tagged rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport access vlan 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

speed 10 duplex full switchport mode access switchport access vlan 1 spanning-tree bpduguard enable spanning-tree bpdufilter disable

--More--

rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 214 PROFILES 7.1.36.2.21 use interface-config-ge-instance Specifies the IP (IPv4 and IPv6) access list and MAC access list used with this Ethernet port. The associated ACL firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-

LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]

Parameters use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-

LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]

ip-access-list in

<IPv4-ACCESS-LIST-

NAME>

ipv6-access-list in

<IPv6-ACCESS-LIST-

NAME>

mac-access-list in

<MAC-ACCESS-LIST-

NAME>

Associates an IPv4 access list with this Ethernet port. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. in Applies the IPv4 ACL on incoming packets

<IPv4-ACCESS-LIST-NAME> Specify the IPv4 access list name (it should be an existing and configured). Associates an IPv6 access list with this Ethernet port. IPv6 is the latest revision of the IP designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. in Applies the IPv6 ACL on incoming packets

<IPv6-ACCESS-LIST-NAME> Specify the IPv6 access list name (it should be an existing and configured). Associates a MAC access list with this Ethernet port. MAC ACLs filter/mark packets based on the MAC address from which they arrive, as opposed to filtering packets on layer 2 ports. in Applies the MAC ACL on incoming packets

<MAC-ACCESS-LIST-NAME> Specify the MAC access list name (it should be an existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 215 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use mac-access-list in test rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use ip-access-list in test rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"

speed 10 duplex full switchport mode accessi switchport access vlan 1 use ip-access-list in test use mac-access-list in test spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1

--More--

rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#

Related Commands no Disassociates the IP access list or MAC access list from the interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 216 PROFILES 7.1.36.3 interface-config-vlan-instance interface Use the config-profile-<DEVICE-PROFILE-NAME> mode to configure Ethernet, VLAN and tunnel settings. To switch to this mode, use the following commands:

<DEVICE>(config-profile-default-<DEVICE-TYPE>)#interface [<INTERFACE-NAME>|fe <1-

4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|

xge <1-24>]

The following example uses the config-profile-default-rfs7000 instance to configure a VLAN interface:

rfs6000-37FABE(config-profile-default-rfs6000)#interface vlan 8 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#

rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#?

SVI configuration commands:

crypto Encryption module description Vlan description dhcp Dynamic Host Configuration Protocol (DHCP) dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP packets on this interface ip Interface Internet Protocol config commands ipv6 Internet Protocol version 6 (IPv6) no Negate a command or set its defaults shutdown Shutdown the selected interface use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#

The following table summarizes interface VLAN configuration commands:

Commands crypto description dhcp dhcp-relay-

incoming ip ipv6 no shutdown use Description Defines the encryption module used with this VLAN interface Defines the VLAN interface description Enables inclusion of optional fields (client identifier) in DHCP client requests Allows an onboard DHCP server to respond to relayed DHCP packets on this interface Configures the VLAN interfaces IP settings Configures the VLAN interfaces IPv6 settings Removes or reverts this VLAN interfaces settings to default Shuts down this VLAN interface Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-route-advertisement policy with this VLAN interface Reference page 7-218 page 7-219 page 7-220 page 7-221 page 7-222 page 7-225 page 7-230 page 7-232 page 7-233 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 217 PROFILES 7.1.36.3.1 crypto interface-config-vlan-instance Associates an existing and configured VPN crypto map with this VLAN interface. Crypto map entries are sets of configuration parameters for encrypting packets that pass through the VPN tunnel. For more information on crypto maps, see crypto-map-config-commands. Supported in the following platforms:

Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto map <CRYPTO-MAP-NAME>

Parameters crypto map <CRYPTO-MAP-NAME>

map

<CRYPTO-MAP-NAME>

Attaches a crypto map to the selected VLAN interface. The crypto map should be existing and configured.

<CRYPTO-MAP-NAME> Specify the crypto map name. Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#crypto map map1 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 crypto map map1 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#

Related Commands no Disables or reverts interface VLAN settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 218